What are effective strategies for securing data shared with third-party vendors?

1. Have strong governance mechanism at the top. 2. Include TPRM as part of Risk Management Policy for Secuity of data throughout vendor lifecycle. 3. Have a Risk Cenric due diligence process. Risk should be driven bases the criticality and sensitivity of data being shared with the Third party. 4. Refrain engaging with vendors not committing to remediate the risk during the Due Diligence process. 5. Have strong Agreement with Security clauses. 6. Establish KPI and KRI and monitor the performance closely through continuous risk monitoring through BitSight etc. 7. All integrations to go through Architecture review for security. 8. Strong offboarding plan to ensure data security and retention scenarios in case of a vendor offboarding

Assessing data sharing vendors vendors requires the implementation of a program that considers the numbers of vendors and your available resources to assess them annually. Use the following approach: 1) Inventory and categorize vendors based on access level to data and systems. 2) Determine requirements (e.g., requires controls) for each vendor risk category 3) Determine resources you can expend on each assessment (e.g., 4 hours or 2 days effort per vendor at the most critical level) 4) create an assessment routine within the confines of your metrics in step 3). The routine should specify the method by which you will obtain assurance that the controls are met (e.g., questionnaire, interview, test, site assessment)

A one size fits all approach will not be recommended here. Ideally you should have a wholistic approach that will cater for all use cases, but in practical situations depending on maturity of the organisation this may not be the case. Data should be classified to start with and that is what should drive type of protection you would deploy when sharing. Also vendors should be assessed and based on risk profiles you can determine extents of requirements when sharing information or data of different classifications. The level of partnership and level of organisation integration can also drive how data are shared. Encryption technologies with controlled access for people who can decrypt the information and automatic ageing of data will do

It is crucial for organizations to review their internal security standards and setup a baseline for security. This standard should consider inputs from various regulations and standards (Security, Privacy, Finance etc..). Security posture of Third-Parties will be evaluated against this standard. So, from the get go it makes it easy to identify non-compliance & risks. Well-defined & comprehensive policies, processes, SOPs to be implemented, adhered to & audited Security Due Diligence to be performed more often annually & not once Establish KPIs & KRIs catering to Senior Management, CISO, Board and Audit 4th and 5th parties to be factored in to protect companies from downstream liability Focus on increasing the maturity of the TPRM program.

Do not fall into trap of assessing vendors or collecting SOC2 reports or ISO certifications. These are traditional practices and do not work in the modern world. 1.First thing first introspect what assets of yours are accessed by the vendor. Try and minimize them to what is essential. 2. Review vendor security profile,. Leverage threat intelligence or dark web information to get an understanding of what security profile looks like 3. Based on what you identify ask for artefacts. Only if Point 1 tells you the vendor is critical then only evaluate the need for assessments

Stipulate the length of service, penalties for non-compliance, and compliance with the company's internal policies, be they security or otherwise. Data must be shared taking into account the Lest privilege process and in the case of internal access, for example to an Activive Director, follow a standard such as RBAC. I always recommend following a framework such as NIST-7316 or physical access if the contract includes the presence of the employee providing the service.

Defining clear and comprehensive data sharing agreements is pivotal for securing data with our third-party vendors. These agreements establish a robust framework by specifying the scope, purpose, and duration of data sharing, as well as delineating roles and responsibilities. Crucially, they outline data types, formats, encryption methods, and retention policies. Incorporating terms for auditing, monitoring, and reporting enhances transparency. Including penalties for violations underscores the seriousness of compliance. In essence, these agreements act as our contractual roadmap, ensuring alignment between parties and reinforcing our commitment to data security standards.

Data sharing agreements help to clearly define the scope of activities in terms of data with the vendor. What is the purpose of data sharing, what type of data is shared, how will it be used, how long will it be stored, how will it be deleted, how is data integrity maintained, who has access to the data shared, non-disclosure clauses, does the vendor intend to share this data with any of their vendors, how will the data be secured on vendor premises, etc are some of the key important questions that need to be answered, documented, agreed-upon and signed off upon. This may involve multiple teams like: infoSec, privacy, legal, data security, vendor risk management, etc

Clearly define security requirements in contractual agreements. Include provisions for data protection, encryption, access controls, and compliance with relevant regulations.

A data sharing agreement needs to identify what data points will be shared and a minimum set of controls (i.e., physical, administrative, and technical) to protect that data including how long it is to be retained and deleted when the retention timeframe is met. If the data to be shared is PII, then the same requirements the company agrees with the individual must be passed to the third party to ensure end-to-end compliance to that agreement and any relevant legislation, regulation, or directive.

Implement DLP and CASB solutions to become familiar with your organization's data movements. This critical knowledge will help you understand the types of data shared with third-parties, how the data flows, and who the main owners are. For example, with this insight, you can apply prevention controls on the fly. These controls enable dynamic adjustments to evolving data usage patterns and external threats. Furthermore, by integrating DLP and CASB with other security solutions like SIEM and UEBA, you enhance your security posture. This integration not only aids in identifying anomalies but also in automating response mechanisms, allowing for more effective and efficient security operations.

Even before sharing data, it is important to first understand the business requirement. Based on this, the minimum amount of data should be provided to meet that requirement. Sensitive data should not be shared at all and can be shared in an aggregated or anonymized format which does not reveal PII nature of data. Other methods involve: tokenization, masking, obfuscation, etc. Data should be encrypted in transit and secure mechanisms should be used for transfer. Once transferred, the data must be stored in encrypted format with tight access control. Once the business purpose has been met, the data should be deleted. It is important that these specifics be outlined and mentioned in all contractual agreements.

é crucial implementar medidas de prote??o de dados para garantir a seguran?a das informa??es compartilhadas. A classifica??o de dados, baseada em sensibilidade e valor, permite controle de acesso diferenciado. A criptografia, tanto em transito quanto em repouso, com algoritmos robustos, é essencial. Anonimizar ou pseudonimizar dados antes do compartilhamento, especialmente os pessoais, é recomendado. Compartilhe apenas a quantidade mínima de dados necessária, evitando informa??es irrelevantes, redundantes ou desatualizadas. Essas práticas asseguram a integridade e confidencialidade dos dados compartilhados.

1?? Formalize data sharing agreements with vendors, explicitly outlining expectations and responsibilities regarding data security. 2?? Classify your data and categorize information based on sensitivity and value. Apply role-based access controls. 3?? Encrypt data in transit and at rest to safeguard information from unauthorized access. 4?? Implement anonymization or pseudonymization techniques to mitigate privacy risks. 5?? Share minimal data, and only for the intended purpose. Don't transmit irrelevant, redundant, or outdated data, reducing the possibility of any data compromise. Be Diligent and transparent, regularly review and update data protection measures with vendors, ensuring alignment with evolving standards and regulations.

Enforce the use of encryption for data both in transit and at rest. This safeguards data from unauthorized access during transmission and storage. Implement strict access controls to ensure that third-party vendors have access only to the data necessary for their specific tasks. Regularly review and update access permissions.

I find that annual risk assessments and data audits help with identifying any gaps that can potentially harm my company. Unplanned checks are also a great way to keep the vendors compliant. If your vendor is required to be compliant with a framework or regulation, remember to check the validity expiration, and always review the periodic VAPTs and cloud reviews to avoid ugly surprises. It is important to build trust and transparency. Unless you respect your vendor and have a positive bias, they won't probably respond with transparency. This also says a lot about your vendor selection process and expectation setting.

Regular monitoring and auditing of data sharing with third-party vendors are vital for maintaining data privacy. Implement systems that track data flows, access logs, and usage patterns. Regularly review reports and ensure vendor compliance with data sharing agreements and protection measures. Periodic audits of vendors' security practices are crucial to identify and address potential gaps. This proactive approach safeguards data privacy and aligns with best practices in data management.

I agree with the previous advice, but would like to add that the data sharing agreement must include a mandatory requirement to notify the company when there has been an incident, even if no data was leaked as it will identify weaknesses in the third party's defenses. This information can be used to decide if the agreement should be retained, or not, depending on the details of the incident.

Regular monitoring and auditing of data sharing activities with third-party vendors are paramount. Utilize tools and systems capable of tracking and recording data flows, access logs, and usage patterns by vendors. Analyze reports and feedback from vendors, ensuring compliance with data sharing agreements and protection measures. Conduct periodic audits and assessments of vendors' security performance and practices. Identify and address any gaps or issues promptly to maintain a robust data protection framework. This ongoing scrutiny is essential for sustaining a secure and trustworthy data-sharing environment.

Consider a broader spectrum of aspects to include in the monitoring - such as security performance and zero day vulnerabilities. True supply chain attacks are recently tuned to weaker vendors and zero days.

When NIS2 applies but more in general, specify incident communication through your supply chain, ensuring you comply with the terms specified in applicable regulations. Monitor your vendors to increase your resilience and lower the dependence of your vendor's capability to communicate the impact of their incidents on your organisation.

Something we’ve thought about is how to secure “inbound documents,” or files that third parties create and share with a company. It’s especially challenging since most organizations have no way to get visibility into these types of files. We’ve created tooling to combat this, and share these tips for employees: 1.) Be cautious when receiving files from freelancers, contractors, and third-party vendors. Do not put highly sensitive information in these documents unless necessary. 2.) Be aware these files are owned by outside parties who can change permissions and add members to the documents at any time. 3.) Do not work on, share, or create your work documents with your personal email accounts.

When sharing data with third-party vendors, it is important to follow some best practices to ensure the data is protected from unauthorized access, misuse, or loss. Here are some tips for securing data shared with third-party vendors: - Assess the vendor's data security capabilities and compliance before choosing them. - Define the data sharing terms and conditions clearly in the contract and agreement. - Encrypt the data before transferring it to the vendor and ensure they can decrypt it securely. - Monitor and audit the vendor's data security practices regularly and address any issues. - Educate and train your employees and the vendor's staff on data security best practices.

The accountability of data security lies with the entity that collects information/data - also known as "Data Controller". The data controller may choose to share this data with other entities for business needs and this third party entity is known as "Data Processor". Ultimately, all responsibility and accountability lies with the data controller, although the data controller can make the data processor liable through contracts and agreements. This is an important aspect to be kept in mind while sharing data. The data controller must perform all due diligence on security aspects and thoroughly vet the data processor before data sharing.