Overview:
The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.
Action Items:
1) Create a vendor management policy and related procedures and publish to the company intranet for employee access and review.
2) Inspect the contracts for a sample of vendors during the review period to determine that nondisclosure agreements of confidentiality and protection are required before sharing information designated as confidential with third parties.
3) Inspect the vendor reviews for a sample of vendors to determine that a privacy and security assessment are performed on a recurring basis for all vendors that handle sensitive or confidential data.
Related Documents:
1) Vendor management policy
2) Vendor nondisclosure agreements
3) Documented vendor reviews
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Discloses Personal Information Only to Appropriate Third Parties—Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity's privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.
2) Remediates Misuse of Personal Information by a Third Party—The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.
Article ID: 271
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-vendor-privacy-commitments-p6-4-271.html