Home»Third-Party Risk Management Framework (TPRMF)
  • Printer Friendly Version
  • Decrease Text SizeIncrease Text Size

Third-Party Risk Management Framework (TPRMF)

1. Purpose and Scope

To ensure that Oxcyon properly assesses, monitors, and manages risks associated with third-party vendors, partners, or subcontractors who have access to, process, store, or transmit data within our technology infrastructure or on behalf of our clients.

2. Governance

  • Owner: Chief Information Security Officer (CISO) / Director of Compliance
  • Oversight: Quarterly reviews with executive management and board-level security briefings
  • Policy Review: Annually or following a material incident

3. Risk Categories

  • Information Security (Data loss, unauthorized access, system integrity)
  • Compliance & Regulatory (HIPAA, FISMA, GDPR, FedRAMP-aligned controls)
  • Operational Risk (Downtime, support reliability)
  • Reputational Risk (Brand damage via third-party breach)
  • Financial Risk (Business continuity, service solvency)
  • Legal Risk (Contractual breaches, indemnification)

4. Third-Party Lifecycle Process

A. Identification

  • Maintain a centralized vendor inventory within Centralpoint
  • Categorize vendors by risk level (Low, Medium, High)

B. Due Diligence

  • SOC 2 Type II / ISO 27001 certifications
  • Insurance validation (cyber liability coverage)
  • Financial health review
  • Conflict of interest screening
  • Reference checks for subcontractors

C. Risk Assessment

  • Assign inherent and residual risk score
  • Apply control requirements based on vendor criticality

D. Contracting

  • Include DPAs and security clauses:
    • Breach notification within 48 hours
    • Right to audit
    • Minimum security controls
    • Termination and data return clauses

E. Onboarding

  • Secure access controls configured (e.g., SAML, AD integration)
  • Role-based access policies enforced
  • Orientation on Oxcyon’s Acceptable Use and Security Policies

F. Monitoring & Review

  • Annual performance and compliance reviews
  • Continuous monitoring of critical vendors
  • Risk reassessment upon service change or incident

G. Offboarding

  • Decommission access credentials and VPN tokens
  • Secure return or destruction of all data
  • Final attestation and certificate of data disposal

5. Tooling and Automation

  • Use Centralpoint for:
    • Vendor risk dashboards
    • Document management (contracts, certifications, audits)
    • Audit trail and automated alerts
    • Periodic vendor attestation workflows
  • Integrate with D&B, Recorded Future, BitSight if needed

6. Incident Management

  • All third-party incidents must be reported to Oxcyon Security
  • Activate incident response protocol (aligned with NIST 800-61)
  • Conduct root cause analysis and remediation plan
  • Update vendor risk rating if needed

7. Metrics and Reporting

  • % of vendors with completed risk assessments
  • % of critical vendors with valid security certifications
  • Time to risk remediation
  • SLA adherence for third-party performance
  • Number of incidents attributed to third parties

8. Regulatory Alignment

This framework aligns with:

  • NIST 800-53 & 800-161
  • ISO 27001 / 27701
  • SOC 2 Trust Service Criteria
  • HIPAA Security Rule
  • FedRAMP (moderate-level alignment)