Business Cases

Third Party Information Privacy

Triplicity provides detailed questionnaires on data protection, in line with international privacy legislation. This enables you to assess third party data protection controls and governance.

Third Party Risk Management (TPRM) requires assurances that third-party vendor risk is being assessed, managed or monitored appropriately.

Businesses are sharing sensitive data with third parties that have poor security policies. Most of these businesses aren’t able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach, while others are unable to track and verify third party data protection safeguards and security policies in a co-ordinated, scalable and repeatable manner.

Private and listed companies alike need to strengthen their governance practices to manage their third-party vendor risk programmes. The aim is to automate and streamline the programmes into highly effective tools that track the risk ratings and compliance of all third-party vendors over time.

The TPRM programme should regularly report to the risk management committee with recommendations. In turn, the committee should deliver a high-level TPRM report to the board of directors, complete with detailed assurance documentation. In the event of a third-party breach, the board will therefore have a detailed history at their disposal, and will be able to act appropriately.

What is data protection?

Individuals, citizens, consumers and legal entities need to have a way to exercise their right to privacy and ensure protection from information abuse — in particular when the data is special personal information.

International and regional laws relating to personal data protection include:

General Data Protection Regulation (GDPR)

Protection of Personal Information Act (POPIA)

Health Insurance Portability and Accountability Act (HIPAA Privacy)

Australian Privacy Act 1988

Triplicity addresses the challenge

In managing third parties that process data on your behalf, it’s best to confirm that you have the following in place contractually:

  • The right to audit, in all contracts with all third parties
  • All third parties will abide by international or regional privacy legislation
  • A limit to the processing of personal information by the third party
  • The third party has a privacy strategy suited to your organisation

Triplicity has data protection questionnaires to help you assess a third party’s readiness and compliance. It also provides you with a central view of your third parties’ privacy compliance in an ongoing manner. We map the controls and questions to Information Security Framework (ISO 27001).

Relationship between privacy and information security

Information Security (IS) is critical in ensuring the protection of personal information, especially with the growing reliance placed on Information and Communication Technologies (ICT) to enable key business processes.

The table below defines the IS controls and how they are associated with data protection. The controls are based on leading practice as well as regulatory guidelines/codes, and provide a reference framework for implementing IS controls that align with requirements of the international data protection legislation.

Relationship Between Privacy Conditions and Information Security

DATA PROTECTION DATA PROTECTION condition summary Related IS controls
Accountability Responsible parties must ensure that the conditions of DATA PROTECTION legislation are complied with. Established IS roles and responsibilities (organisation of IS and appropriate oversight from board level).

Creation, embedment, enforcement and review of IS policies (e.g. acceptable use, mobile device policies, user access, information breach management policies).

Compulsory IS training and awareness.

Independent risk reviews of IS environment on a periodic basis.

Certification against ISO 27000 series or internationally recognised security standards.

Processing limitation Personal information may only be processed in a fair and lawful manner, with the consent of persons providing their personal information. Data classification to support record retention, access management, user activity restrictions.

Inventory of information assets to support record discovery, maintenance and destruction.

Record retention procedures aligned with organisational retention requirements.

Procedures to manage disposal of media/IT assets.

Appropriate Identity and Access Governance (IAG) controls are implemented, enforced and reviewed.

Security relating to systems collecting and storing personal information and consent/preference.

System test environments use anonymised data.

Purpose specification Personal information may only be processed for specific and legitimate purposes.
Further processing limitation Personal information may only be processed if it is in line with the original purpose. Alternatively, consent must be obtained from the person for further processing
Information quality Organisations must put reasonable measures in place to ensure the quality of personal information they process. Formal data governance structure established.

Input validation controls implemented on systems involved in the collection of personal information.

Record retention procedures aligned with organisational retention requirements.

Database/system clean-ups are performed periodically to identify redundant and inaccurate information.

Information backups are completed and secured as required to ensure availability and integrity of information.

Formal change control procedures and restrictions manage changes to systems or software.

Openness Organisations must keep formal record of the personal information they process. Formal and up-to-date inventory of information assets is maintained.

Event logs are maintained, monitored and safeguarded.

Security and Privacy incident management procedures.

Security safeguards Organisations must ensure that reasonably practical controls are in place to ensure the safeguarding of personal information they process. This includes:

·   ensuring confidentiality, integrity and availability of information

 

·   appropriate management of third parties that process personal information on behalf of the organisation

 

·   appropriate information breach management and notification procedures

Physical security controls are in place to protect information assets (e.g. locked cabinets, access-controlled offices).

Vulnerability management (detective, preventative and corrective controls).

Appropriate Identity and Access Governance (IAG) controls are implemented, enforced and reviewed.

Mobile Device Management policies and procedures are implemented, enforced and reviewed.

Removable media management policies and procedures.

Procedures in place to manage disposal of Media/IT assets.

Data Leakage Prevention (DLP) techniques.

Security and Privacy incident management procedures.

Encryption on end-user devices and on operational level (static and moving information).

Third parties are appropriately managed (including signing of contracts, due diligence checks, security assurance).

Data subject participation Persons can request access to their personal information and update, delete/destroy their personal information held by an organisation Formal and up-to-date inventory of information assets is maintained (electronic and IT assets).

Security relating to systems collecting and storing personal information and consent/preference.

 

NOTE: IS controls may apply to several DATA PROTECTION conditions.

NOTE: Implementation of the controls, policies and procedures listed in this document does not guarantee compliance with local or international privacy legislation. Organisations should align privacy-related security controls with their information risk assessment, strategic objectives and the regulatory requirements applicable to their country, industry or organisation.

 

 

REQUEST A DEMO | MEET THE TEAM | TRIPLICITY RISK THIRD PARTY RISK MANAGEMENT

Third Party Risk Management Software Triplicity | Third Party Risk Management Silver Lining | Manage Third Party Vendors | Automate Third Party Risk Management | Contact Triplicity Third Party Risk Management Team

Triplicity simplifies, automates and leverages business intelligence. Giving you a powerful vendor risk management solution that not only does the job properly, but saves you time and money in the process.