Third-Party Risk Management

Medium

What is it? 

Third Party Risk Management (TPRM) is the process of identifying, evaluating, and mitigating the potential risks associated with a third-party vendor’s security practices. Specifically, NDIT focuses on a third-party that includes one or more of the following:

  • Hosts agency data or
  • Has administrative access to the State’s IT environment.

TPRM focuses on due diligence activities, which provides reasonable assurance that ND citizen data is safeguarded.

The TPRM process requires third parties to:

  1. Complete a third-party security questionnaire on its security controls and program surrounding the confidentiality, integrity, and availability of State data, or
  2. Provide documentation of an industry-accepted security control certification.

The goal of TPRM is to:

  • Understand security concerns when selecting a vendor.
  • Safeguard data to foster an environment of citizen trust.
  • Mitigate undue risks and costs associated with third-party breaches.
  • Compliance with legal, privacy, policies and standards requirements.
  • Ensure Business Continuity by verifying that third-party vendors have effective contingency plans.
  • Partner with vendors as cybersecurity is a shared responsibility.

As of July 1, 2023, a third-party risk assessment will be required for all new State Agency vendors.  Existing vendors will be assessed as contracts are renewed.
 

What do you get with the Service? 

NDIT onboards vendors, scores responses to questionnaires, tracks findings, provides continuous monitoring of critical vendors, and reassesses vendors based on its risk.

  1. Initial Assessment
    NDIT will obtain initial information about the vendor and determine if the data (based on NDIT’s data classification policy) they transmit, store and/or access is:
    1. High risk
    2. Moderate risk
    3. Low risk
  2. Vendor Assessment 
    NDIT will evaluate the level of assessment required based on the data classification and information provided by the IT Solution Questionnaire, which should be submitted with any IT Review request.
  3. Report 
    Identified findings (potential risks) are discussed with the information security officer, procurement officer, agency and other key stakeholders. Parties discuss risk response options that may involve the vendor if remediation of a finding is required.
  4. Continuous Monitoring 
    NDIT will continuously monitor vendors based on its level of risk.

How to request service? 

The Third-Party Risk Management (TPRM) is embedded into the IT Review process. An IT Review request must be submitted and an IT Solution Questionnaire completed.

NDIT strives to complete third-party risk assessment 28 calendar days after request has been submitted. This timeline is largely dependent on the response of the vendor and other key stakeholders. 

If you have any questions on requesting third-party risk services from NDIT, please send an email to cygrcrisk@nd.gov