THIRD-PARTY RISK MANAGEMENT STANDARD OPERATING PROCEDURE

TABLE OF CONTENTS

1. Purpose and Scope
2. Definitions and Tiering Criteria
3. Lifecycle Overview
   3.1 Intake and Criticality Scoring
   3.2 Tiering Decision
   3.3 Due Diligence and Evidence Collection
   3.4 Contracting Controls
   3.5 Onboarding
   3.6 Ongoing Monitoring
   3.7 Periodic Reassessment
   3.8 Offboarding and Data Return/Deletion
4. Roles and RACI
5. Documentation and Systems of Record
6. Metrics, KRIs, and Reporting
7. Exceptions and Compensating Controls
8. Review Cadence and Ownership
9. Annexes (Checklists, Templates)
10. California-Specific Requirements

1. PURPOSE AND SCOPE

• Standardize third-party risk management (TPRM) for vendors, partners, and subprocessors.
• Applies to all third parties that access company data, systems, customers, or critical operations.

2. DEFINITIONS AND TIERING CRITERIA

• Tiers: Critical, High, Medium, Low.
• Criteria: data sensitivity (PII/PHI/PCI/IP), system connectivity, transaction volume, operational reliance, regulatory impact, geographic risk, public official exposure.
• Tier drives diligence depth, approval levels, and monitoring cadence.

3. LIFECYCLE OVERVIEW

3.1 Intake and Criticality Scoring

• Business owner submits intake with use case, data types, integrations, geos, and alternatives considered.
• Initial risk score auto-calculated; Compliance/Security review for accuracy.

3.2 Tiering Decision

• Assign tier based on scoring and professional judgment; document rationale.
• Escalate ambiguous cases to Compliance/Security leadership.

3.3 Due Diligence and Evidence Collection

• Issue questionnaire aligned to tier; collect artifacts (policies, SOC/ISO/PCI, pen test summaries, insurance, subprocessor list, DPIA if applicable).
• Perform sanctions/PEP/adverse media screening; export controls checks where relevant.
• Evaluate privacy (DSR handling, transfers), security (access, encryption, logging, SDLC), resilience (BC/DR), and legal (licenses, regulatory history).

3.4 Contracting Controls

• Required terms by tier: DPA + SCC/IDTA (if needed), security addendum, uptime/SLA, breach notice timelines, audit/pen test rights, subcontractor approvals, IP/confidentiality, indemnities, insurance, termination, and data return/deletion.
• Deviations require approvals and compensating controls recorded.

3.5 Onboarding

• Validate controls implemented; system access provisioned least-privilege; logging enabled; owners assigned; repositories updated.

3.6 Ongoing Monitoring

• Track incidents, complaints, SLA performance, change notices (scope, subprocessors, location), and financial viability.
• Require timely notice of security/privacy incidents and material changes.

3.7 Periodic Reassessment

• Cadence by tier (e.g., Critical: annual; High: 18 months; Medium: 24 months; Low: 36 months).
• Triggered reassessment upon incidents, scope changes, new data types/geos, M&A, or regulatory changes.

3.8 Offboarding and Data Return/Deletion

• Confirm data return/deletion; revoke access; collect certifications; migrate services if needed; close out records in TPRM system.

4. ROLES AND RACI

• Business Owner: initiates intake, funds vendor, owns performance, ensures adherence.
• Compliance: policy oversight, sanctions/export review, contract clauses, exceptions.
• Security: technical review, security clauses, monitoring requirements.
• Privacy: data mapping, DPA/SCCs, transfer risk, DSR process.
• Procurement/Legal: commercial/legal terms, signature.
• Finance: payment controls.
• Internal Audit: independent review/testing (if applicable).
• RACI table: [INSERT MATRIX BY ACTIVITY].

5. DOCUMENTATION AND SYSTEMS OF RECORD

• Central TPRM system/ticket stores intake, tiering, approvals, questionnaires, evidence, exceptions, contracts, monitoring notes, and reassessments.
• Version control for artifacts; link to contract repository.

6. METRICS, KRIs, AND REPORTING

• Time-to-approve by tier; exception count/aging; reassessment completion rate; incident notifications; SLA breaches; critical vendor concentration.
• Report to [BOARD/COMMITTEE/EXCO] on cadence [QUARTERLY].

7. EXCEPTIONS AND COMPENSATING CONTROLS

• Document exceptions with risk owner, approver, expiration/review date, and compensating controls; track to closure.

8. REVIEW CADENCE AND OWNERSHIP

• Owner: [COMPLIANCE/SECURITY/PROCUREMENT].
• Review SOP annually or upon material change (new regulation, major incident, program redesign).

9. ANNEXES (EXAMPLES)

• Annex A: Intake form fields.
• Annex B: Tiering criteria and scoring model.
• Annex C: Required clauses checklist by tier.
• Annex D: Reassessment checklist and evidence list.

10. CALIFORNIA-SPECIFIC REQUIREMENTS

• CPRA service provider/contractor terms required in vendor agreements, including restrictions on use, retention, and disclosure.
• Vendor support for CPRA consumer requests and audit rights must be documented in the DPA and onboarding checklist.
• For vendors processing sensitive personal information, confirm data minimization, purpose limitation, and opt-out/limit mechanisms.
• Apply California breach notification requirements and timelines in incident response playbooks and vendor SLAs.