Third Party Security Regulations

Regulation & Standard for Better Vendor Risk Management

Vendor risk management in organizations today is driven partially by fear of loss, but also through regulations. However, some of the more proactive organizations are managing this issue through the lens of protecting supplier relations as part of their corporate business strategy. Consider our point of view on supply chain, risk management as closely related to some of the original concepts learned in the “beer game” often used to demonstrate a need for working closely with suppliers to de-risk suppliers through aiding in managing logistical inefficiencies.
If you are considering building a business case, consider using the following regulations and standards that support having a good third party risk program. Graphic Provided by Ignyte Assurance Platform^TM.

• HIPAA Security Rule — If you own, manage, or even exchange using any protected health information (PHI), you most likely fall in to a category known as “Covered Entity” or a “Business Associates.” Business Associates are often suppliers of healthcare systems (Covered Entities) that now have to follow the same rules as healthcare institutions.
• OCC Bulletins — The Office of the Comptroller of the Currency (OCC) has issued several bulletins, such as OCC Bulletin 2013-29, etc., that specifically set expectations squarely on shoulders of executive management in managing supplier risk holistically. In recent years, these bulletins have gone from general guidance to specifics covering cybersecurity risk management concerns.
• PCI-DSS — Though this is not a federal regulation, it is an industry-wide, self-regulation mechanism designed to secure credit card processing operations. If your organization manages credit card data, processes credit cards, or your third parties conduct this function on behalf of your organization, then your organization is expected to manage the third party relationship. This was introduced into “version 3” of PCI-DSS standard.
• DFARS Subpart 204.73 — This standard applies to federal and defense suppliers working with the government that store or manage Controlled Unclassified Information (CUI). DFARS provides a set of “basic” security controls for contractor information systems. DFARS regulation is implemented through NIST SP 800-171.
• NIST Cyber Security Framework Version 1.1 — The NIST CSF was introduced as a voluntary standard broadly applicable to many industries across the United States. The standard is now on its way to being updated with significant content and categories that add requiring organizations to assess their vendor assurance program security.

The above are some of the most prominent regulations used to often develop a business case on why we should develop a vendor risk program. However, organizations that are working past the regulations on managing vendor risk are most often in a better position to not only help their vendors in cyber maturity, but also minimizing impact to their own operations.

To learn more about details and specifics of these regulations, check out the The fundamentals of common controls security frameworks page for additional details.