Today, many businesses rely on outside companies, known as third-party organizations, to handle their data or services. Some examples might include vendors, marketing firms, recruiting organizations and other external entities.

In these instances, it’s likely third-party vendors might collect, store or refer to confidential or sensitive information regarding the business or its customers. To ensure customer data and business processes remain protected and operational and to ensure the best results are obtained from such associations, it’s important to vet third-party companies.

From the policy

THIRD-PARTY VENDOR POLICY DETAILS

If there are existing third-party vendors associated with the organization, an assigned company representative should prepare a written risk assessment for the company to identify these vendors, their purpose, contact information and criticality rating — for example, how important the service(s) they provide are to the organization. Redundant vendors and mechanisms for especially critical functions should be considered.

Company staff must select new third-party vendors with established records of success and that comply with all applicable state and federal regulations and data privacy requirements. third-party vendors must adhere to company policies, practice standards and agreements.

References should be obtained to attest to the reliability and quality of service provided by the prospective third-party vendor.