Vendor Risk Management & Third-Party Security

Assessment for third-party vendor security, risk assessments, business associate agreements, and vendor lifecycle management

AllHealthcareBiotechPharmaFinance minutes18 questions

1. Vendor Selection & Due Diligence

Is vendor risk tiering performed based on data sensitivity and criticality?*

Risk tiers: Critical (PHI/PII access), high (network access), medium (limited data), low (no sensitive data); different assessment depth

Are vendor security questionnaires (SIG, CAIQ, custom) required before contracting?*

Questionnaires: Standardized Information Gathering (SIG), Consensus Assessments Initiative Questionnaire (CAIQ), domain-specific

Is financial stability assessed to ensure vendor viability (Dun & Bradstreet, financial statements)?*

Financial due diligence: Credit rating, bankruptcy risk, insurance coverage, escrow for source code

2. Security Assessments

Are SOC 2 Type II reports obtained and reviewed annually for cloud/SaaS vendors?*

SOC 2: Service Organization Control report, Type II includes testing over 6-12 months, review exceptions and management responses

Is penetration testing or vulnerability scanning performed for critical vendors?*

Security testing: Annual pentest for critical vendors, continuous vulnerability scanning, remediation timelines for findings

Are vendor security certifications validated (ISO 27001, HITRUST, FedRAMP)?*

Certifications: ISO 27001 (international standard), HITRUST CSF (healthcare), FedRAMP (government), verify scope and validity

3. Contracts & BAAs

Are Business Associate Agreements (BAA) executed with all HIPAA-covered vendors?*

BAA requirements: Permitted uses/disclosures, safeguards, breach notification (within 60 days), subcontractor agreements

Do contracts include security requirements (encryption, access control, audit rights)?*

Security clauses: Data encryption at rest/transit, MFA, logging, right to audit, incident notification, indemnification

Are Data Processing Agreements (DPA) executed for GDPR-covered international vendors?*

DPA/GDPR: Standard Contractual Clauses (SCC) for EU data, UK Addendum, data localization, cross-border transfer mechanisms

4. Ongoing Monitoring

Are vendor security assessments refreshed annually or upon significant changes?*

Reassessment triggers: Annual review, service changes, breach/incident, certification expiration, M&A activity

Is vendor performance monitoring conducted with KPIs/SLAs tracked?*

Performance metrics: Uptime SLA, response time, issue resolution, security incident rate, compliance attestations

Are vendor security incidents and breaches tracked in centralized risk register?*

Incident tracking: Vendor breach notifications, impact assessment, remediation verification, contract review

5. Incident Response & Remediation

Is vendor incident response plan integrated with institutional incident response?*

IR coordination: Vendor notification requirements (24-hour), escalation procedures, communication protocols, joint exercises

Are vendor breaches reported to institution within contractual timeframe (typically 24-72 hours)?*

Breach notification: Vendor obligation to notify, timeline in contract, required information (scope, affected data, remediation)

Are corrective action plans (CAP) required and tracked for vendor security deficiencies?*

CAP: Vendor remediation timeline, milestone tracking, verification testing, escalation for missed deadlines

6. Vendor Offboarding

Is data return or destruction verified upon vendor contract termination?*

Offboarding: Data return in usable format, Certificate of Destruction for retained copies, verify deletion from backups

Are vendor access credentials revoked immediately upon termination?*

Access removal: VPN, application accounts, physical access, API keys, SSH keys; verify in access logs

Is institutional data removed from vendor systems with verification?*

Data removal: Documented deletion, Certificate of Destruction, validate via audit logs or attestation

Please answer all required questions to see your results