Disengagement: End-to-End Program

Question 1

1. TPRM End-to-End Program

Answer 1

Termination Process
-Begin with the end in mind (ensuring you create an exit strategy for more critical vendors before the contract is signed.)
-You should also establish a disengagement checklist in the beginning of the relationship to ensure you know where data is stored, how third parties are/will connect into your environment, and know where they are physically located.
-This information will help you during the
disengagement phase.

Question 2

2. TPRM End-to-End Program

Answer 2

You need to continue to assess third parties on some level if they will maintain data for a specific period of time.

Question 3

3. TPRM End-to-End Program

Answer 3

How does your program deal? Ask these questions.

-What would the sudden loss of this third party do to the company?
-What would the impact be to the company’s customers?
-What steps need to be taken to minimize disruption to the business and customers?
-Who would be involved?
-Are there third party alternatives?
-What would the transition period be?
-How long would the company need to stand in?

Do for critical or high risk vendors
Create a checklist so you know what to keep track of

Question 4

Steps for Disengagement:
E.C.D.T.D.R.

Answer 4

1. Exit Strategy/Plan
2. Contract Language
3. Disengagement Letter
4. Termination Checklist
5. Destruction of Data
6. Record Retention and Ongoing Review

Question 5

Steps for Disengagement
1. Exit Strategy/Plan

Answer 5

For Critical third parties (add transition language to contract)
-Specifically look at your contracts to see what you can get added.

Question 6

Steps for Disengagement
2. Contract Language

Answer 6

Review:
“Terms for Convenience vs. Cause”
“Notification Requirements”
“Termination Expectations”
“Continuous Monitoring” Clauses

Look at the notification requirements, termination expectations - agree to a meeting, provide data in a specific format.

Continuous Monitoring:
-In the event you require to maintain our data for a temporary timeframe we will continuous to monitor you e.g. pen test results, vulnerability management, patch management.

Question 7

Steps for Disengagement
3. Disengagement Letter

Answer 7

Should include why you are terminating, when the termination will take place, and termination expectations.

-30 days notice why you’re terminating, when it will take place, clearly callout specific contract clauses and not on the letter.

Question 8

Steps for Disengagement
4. Termination Checklist

Answer 8

-Contract Review
-Settlement of outstanding Invoices
-Removal of Assets and Data (to be reviewed in future slides)
-Updating Third Party Profile (can you use the third party again?)

You need to perform.
-Updating third party profile, make sure your whole company is aware that you’re terminating the entire vendor or a specific service.
-All departments need to be on the same page.
-Get whatever data back that they don’t need.
-Can we use this third party again?
-Explain the termination, was it on good terms?
-Can we use them for another department?
-Have a way to tell other departments we don’t want to use this vendor.

Question 9

Steps for Disengagement
5. Destruction of Data

Answer 9

NIST has requirements and put that in our contract, use NIST or better practice.

Question 10

Steps for Disengagement
6. Record Retention and Ongoing Review

Answer 10

If they still have your data and need continues review, get evidence if you’re comfortable with just that.
-Make sure there is a data for the data to be back in house for evidence to be accepted in place of full evaluation.