Building a Vendor Risk Program to Protect Sensitive Data

A major city agency relies on numerous third-party vendors who collect, store, and transmit sensitive constituent data. The existing risk management program needed significant maturation to ensure comprehensive risk assessments, annual due diligence, and continuous monitoring of vendor relationships.

Without a formalized program, the agency lacked standardized processes for evaluating vendor cybersecurity posture, tracking risk across the vendor lifecycle, and communicating risks to stakeholders across the enterprise.

RCI partnered with the agency's CISO office, legal department, and key stakeholders to define, document, and implement a comprehensive Third-Party Risk Management program. The engagement included two parallel workstreams: maturing the TPRM program itself and conducting cybersecurity risk assessments and due diligence on vendors.

The team developed a thorough assessment methodology including vendor website and product review, authentication evaluation, privacy policy analysis, and artifact scrutiny against defined risk acceptance criteria. RCI also developed a stakeholder communication plan integrated with the agency's GRC tracking system to ensure timely, effective risk communication across the enterprise.

• Formalized Third-Party Risk Management program with defined processes, acceptance criteria, and archival standards.
• Comprehensive vendor cybersecurity assessment methodology covering the full vendor lifecycle.
• Stakeholder communication plan integrated with GRC tracking systems for real-time risk visibility.
• Enhanced protection of sensitive constituent data through systematic vendor due diligence.

Disclosure: Certain technical details and timeline elements are summarized to protect client security posture and confidentiality requirements.