The Privva 10: The New Way to View Third-party Risk
Assessing third-party risk can be challenging. Privva has launched a new, proprietary third-party risk scoring methodology to classify risk into 10 key security domains. Mapping security assessment questionnaires to the Privva 10 Security Domains provides organization intelligence for your vendor ecosystem.
In a time when corporates want to consolidate their vendor ecosystems, results from vendor risk assessments can assist with this consolidation. Data protection has become a key component in supplier selection. Privva’s approach allows the risk management team to benchmark risk assessment data from multiple angles.
The Privva 10:
Governance: Evaluates the organization's leadership, management, communication and oversight. This indicates how well an organization can communicate and comply with the requirements of its customers and authorities. For example, “are there information security policies that have been approved by management and communicated to employees and relevant stakeholders?”.
People: Analyzes the security of Human Resources and Access Control practices to measure the risks posed by employees and contractors who are not properly screened or have improper access. Questions in this domain might ask if there is a process for reviewing user access or whether background checks are included as part of the onboarding process for employees and contractors.
Information Management: Quantifies security and governance practices related to data handling. This helps to evaluate the risk of data exposure. Questions related to whether sensitive data is stored by the vendor, data encryption, and transmission of data would be included in this domain.
DevOps: Assesses Development and IT Operations practices to measure the potential for exploitation or failure of applications and their underlying systems and processes. This domain includes questions regarding how a vendor builds their internal IT infrastructure and applications - e.g. “do changes to a production environment go through a change management process?”.
Security Operations: Captures the digital and physical security practices that protect confidentiality, integrity and availability of systems and information. It evaluates the likelihood that threats would be prevented or detected and responded to effectively. This domain includes questions such as “do your data centers have physical security controls?” and “do you scan for network vulnerabilities?”.
Resilience: Measures preparedness for disasters and critical incidents to evaluate how well the organization can prevent, respond to, and recover from a crisis. Example questions include whether there are policies and procedures in place for disaster recovery, business continuity, and if those procedures are tested at some regular interval.
Risk Management: Indicates the organization's ability to identify, assess and mitigate relevant business and technology risks within the organization, its third parties, and its business and geopolitical environment. This helps predict how well an organization would adapt and respond to adverse events and changes. For example, “does your organization have a third-party vendor risk management program in place?”.
Privacy: Reviews the practices in place to protect customer privacy in order to capture the risk of private customer data being misused. Does the organization have a policy about who can access customer data and when? Those kinds of questions would appear in this domain.
Compliance: Measures the level of compliance with payments, consumer protection, and other applicable regulatory requirements. Questions here are designed to elucidate which regulatory requirements apply and measure compliance with those standards. For example, “do you market or sell directly to your client’s customers,” and if so, “is training conducted with regard to consumer protection responsibilities?”.
Reputation: Identifies public indicators of business, legal, cyber security, financial, or reputational losses or risks to help determine whether the organization would make a risky partner - e.g. “has your company suffered a security breach within the last three years that impacted client data?”.
Contact Privva to learn more about the Privva 10 Security Domains and how Privva’s platform can enhance your third-party vendor risk management process.