Managing Third-Party Risk: Compliance-Centric Considerations

December 2, 2020

The regulatory landscape is in a constant state of change in order to adapt to new technologies and emerging processes. Unfortunately, many businesses struggle to keep up with the pace. According to a global risk management report, 57% of senior-level executives rank “risk and compliance” as one of the top risk categories they feel least prepared to address. These regulatory upgrades can be tremendously challenging for businesses to keep up with; and that’s without considering the added complexity of third-party risk management.

However there’s good news here too; it is important to note that third-party risk management can, in fact, be a requirement of data protection regulations and standards. This includes the EU’s General Data Protection Regulation (GDPR) and security standard, ISO27001.

Ultimately, effective third-party risk management must be done with compliance in mind.

Third-Party Risk Management and Regulations and Standards

  • GDPR: The GDPR sets out requirements on third-party data processors. It is the responsibility of an organization to check the security and privacy practices of third parties. This includes not using a sub-processor without prior approval and data handling during disengagement.
  • ISO27001: ISO/IEC 27001, Section A15, sets out five controls that cover supplier relationships and security.
  • HIPAA (Health Insurance Portability and Accountability Act): The HIPAA Omnibus Rule extends the protection requirements for Protected Health Information (PHI) to any business associate that handles health data.

General Help with Compliance

Help to establish policies and information security across a third-party ecosystem is available in the form of frameworks and guidance documents.

  • NIST 800-53Security and Privacy Controls for Information Systems and Organizations”: A framework of security controls for U.S. federal information systems. However, it applies to other sectors too. The document links to the steps advised by NIST’s Risk Management Framework. A number of sections address the management and expectations of external service providers.
  • Data and technology governance - mapping to data lifecycle and third-party users: The general area of governance is covered via ISO standards. Analysts such as Business Application Research Center (BARC) also offer advisories on data governance and third parties.
  • Security awareness: Training should be carried out across an extended third-party ecosystem to educate all on technology and security.
  • Policy documents to reflect compliance and third parties: Incorporate third-party expectations into strategic security policies.
  • Rely on experts: Leverage reputable vendors and solutions that can support third-party risk management and compliance efforts.

Anomalix and Compliance

The patent-pending idGenius platform by Anomalix is a leader in its space partly due to the fact that the platform was built with compliance in mind. Simply put, compliance is built in to idGenius rather than bolted on. Moreover, the platform’s structure is prepared to adapt as industry changes occur in regulatory compliance over time.

In fact, as your organization matures towards a Zero Trust model, idGenius adapts to the current compliance landscape, integrates guardrails around HIPAA, SOC 2, etc., and ultimately lowers compliance costs as well as operational risk.

Anomalix is the first and only trusted identity management solution provider in the world and it does all that and more. 

Anomalix’s patent-pending, purpose-built, trusted identity management system elegantly automates both lifecycle and risk management for non-employee / third-party individuals and services.  

If you’d like to learn more about how Anomalix’s world-class solutions can help your business, contact us for a demo.  

Download this blogBack to blog

Mohammed Elkhatib

Founder and CEO

Mohammed is an Identity Management and Access Governance thought leader with over 16 years of Information Security experience and over 20 years of IT and Business experience. Mohammed has worked with over 500 Identity Management and Access Governance clients. Mohammed’s significant and numerous contributions at the most successful Identity and Access related startups have led to three successful exits in excess of $825MM.

View Linkedin