Question HLTP-03
Do you have an implemented third-party management strategy?
Weight | 40 |
High Risk | Yes |
Required | Yes |
Compliant Answer | Yes |
Standard Guidance
Robust answers from the vendor improve the quality and efficiency of the security assessment process.
Answering "NO"
State your plans to implement a third-party management strategy.
Answering "YES"
Provide additional information that may help analysts better understand your environment and how it relates to third-party solutions.
Reason for Question
Every organization needs to actively understand and manage their supply chain and the vendor's understanding of who their third-party partners are and their ability to manage those relationships effectively and consistently speaks to the amount of risk your institution is taking on by contracting with them. Modern technologies allow for rapid deployment of features and with them, come changes to an established code environment. The focus of this question is to verify a vendor's practice of regression testing their code and verifying that previously nonexistent risks are not introduced into a known, secured environment.
Follow-Up Inquiries
If "No," inquire if there are plans to implement a policy or if the vendor has a set of documented and consistent procedures that they are using to manage their third-party relationships.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]