3. Document the Third Party
Properly documenting each third party is essential for effective risk management, operational transparency, and compliance with regulatory requirements.
The CSFaaS platform provides a structured approach to capturing, organising, and maintaining detailed information about your third-party relationships.
These sections include:
- Information: key attributes for each third party.
- Internal Contact: Key internal contacts responsible for each third party.
- Data Classification: Classify and document the types of data shared with or accessed by the third party.
- Related Systems: Map the interconnections between third parties and your internal systems.
- Risk Assessment: Evaluate potential risks associated with each third party.
- Complementary Information: Include any additional details pertinent to the third-party relationship.
Explore each section in detail below to ensure your system documentation is complete and up to date.
Information
Documenting key attributes for each third party is essential to managing relationships effectively. Navigate to the “Information” section and complete the following fields:
Third Party Description & Information
Provide a brief overview of the Third Party's activities and relation with the company.
Third Party Parent Company
Specify if applicable.
Third Party Contact Name
Enter the Third Party's contact name.
Business Unit
Specify the associated Business Unit.
Third Party Region
Indicate the region where the Third Party operates.
Third Party Country
Specify the geographic location of the Third Party.
Third Party Type
Identify the type of Third Party. For example: Vendor & suppliers, Client, Partner, Distributors, Investors, Government, Regulators, NGO, Other.
Third Party Provider Type
Specify the provider type. For example: IT Hardware, IT Software, IT Data Management & Analytics, IT Developments, IT Services, IT Consulting, Network & Telecom, Facilities, Social Network & Media, Payment Processor, Other.
Third Party Tier Level
Define the applicable Tier Level. For example: Tier 1, Tier 2, Tier 3 or Tier 4.
Internal Contact
Clearly documenting internal stakeholders responsible for managing the third-party relationship is vital for accountability and effective collaboration.
To document the Internal Company Stakeholders, navigate to the “Internal Contact” section:
- Open the system card created for the third party.
- Navigate to the “Contact” section and complete the following fields:
- Third Party Contact
- Other Contacts if applicable.
Data Classification
Properly classifying and documenting data attributes ensures compliance and secure handling of sensitive information.
Navigate to the “Data Classification” section and complete the following fields:
Data Classification Levels
Indicate the sensitivity of data the system processes (e.g., Public, Internal, Confidential).
PII Involvement
Specify whether the system processes Personally Identifiable Information (PII).
PHI Involvement
Specify whether the system processes Protected Health Information (PHI).
Related Systems
Mapping relationships between third parties and related systems supports enhanced oversight and risk analysis. To map related systems: Navigate to the “Related Systems” section Click on “+”. Search for a system using its System ID (SYS-ID).
Risk Assessments
Regular risk assessments ensure third-party security and allow for continuous oversight. Steps to Manage Risk Assessments:
- Navigate to the “Risk Assessments” section.
- Click on “+”.
- Search for a system using its Risk Assessment Demand ID (RAD-ID).
- Define a Periodicity Review to schedule regular assessments.
When a new demand is added, the current assessment is automatically archived in the “Previous Assessments” section for historical reference and tracking.
Complementary Information
The “Complementary Information” section allows you to document additional details to enhance understanding of third-party relationships. Use this section to:
- Provide Supporting Text: Describe third-party roles, responsibilities, and interactions with your organisation. Highlight their involvement in critical processes, systems, or data.
- Add Relevant Details: Include information such as contractual obligations, compliance requirements, risk levels, or performance metrics for a more comprehensive understanding.
Providing thorough and accurate details will improve understanding of third-party relationships and support effective risk management.