Third Party Management

SMEs, should ensure that all vendors, particularly those with access to sensitive data and/or systems, should be actively managed to ensure they meet agreed service level commitments.

September 01, 2021

Third Party ManagementLike all organizations SMEs rely on other organizations to provide them with services. Some of these services may involve outsourcing of key business functions to a third party. Indeed, it is not uncommon for SMEs to outsource the management and support of their IT systems to another firm specializing in IT.

However, many of the arrangements in place with third parties, particularly with regards to cybersecurity, are informal and may not have appropriate confidentiality clauses within the contract for service. Contractual agreements should regulate how the information will be accessed during the provision of said service and how will it be treated, as well as penalties, billing, guarantees and other aspects.

To ensure the security of services provided by Third Party vendors or outsourced partners, SMEs should;

  • Develop a list of minimum cybersecurity requirements and obligations that vendors and suppliers must have in place in order for the SME to engage with them
  • Regularly review and conduct an inventory of all its vendors and suppliers.
  • Appoint someone with the responsibility to manage these relationships
  • Ensure Service Level Agreements (SLA) are in place with each key supplier and that these are managed and monitored on an ongoing basis; the SLA should clearly
    • state the scope of the service being provided,
    • outline the roles and responsibilities for each party,
    • define clear lines of demarcation,
    • demonstrate the agreed cybersecurity level of the provided services,
    • detail how to report problems and associated escalation procedures,
    • include metrics by which the services are measured.
  • Conduct regular reviews with suppliers, especially those managing data and/or services on behalf of the SME to ensure the security measures they implement are appropriate.
  • Develop a process to manage the end of a service, either expected or unexpected, with a supplier. This process should ensure that any sensitive data that the vendor had access to is either securely destroyed or returned to the SME.
  • Include a Non-Disclosure Agreement (NDA) or a confidentiality clause detailing what data is considered confidential, how long this confidentiality relationship will last, restrictions on the use of information by the service provider and the legal jurisdiction accepted.

If the external vendor provider requires access to any personal data under the care of the SME, a Data Processing Agreement should be put in place as per the requirements outlined in the EU General Data Protection Regulation (GDPR).

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies