← Back to Dashboard
DOMAIN — VENDOR & THIRD-PARTY RISK

Your worst breach may not be yours. It may be a vendor’s — with your data in it, and your name on the notification.

Recommended Module

Carriers ask whether you manage third-party risk because so many claims start with a vendor: a payroll provider gets popped, a SaaS tool is misconfigured, an IT contractor’s laptop is stolen — and your data goes with it. They want to know you have a list of who touches your data, that you have vetted the risky ones, and that your contracts actually require them to protect it.

The three things they are really asking: Do you have an inventory of your vendors and what data each one holds? Have you risk-ranked them and done due diligence on the critical ones? And do your contracts — including BAAs where you share health data — require security and breach notification? If your answer is "we’d have to go dig through emails," this kit closes that gap.

YOU CAN DO THIS TODAY
1

List your top 10 vendors by data.

Open a document and write down the vendors that hold or touch your most sensitive data — payroll, email, cloud storage, your EHR or billing system, anything with customer records. That list, with what data each one holds, is the start of a vendor inventory. You cannot manage risk you have not written down.

2

Find your BAAs (if you handle health data).

If any vendor touches PHI, you are legally required to have a signed Business Associate Agreement with them. Spend 20 minutes confirming which of your PHI vendors have one on file. A missing BAA is one of the most common — and most citable — gaps.

3

Pick your one riskiest vendor and ask for their SOC 2.

Choose the single vendor that would hurt you most if breached and email them: do you have a current SOC 2 Type II or ISO 27001, and will you notify us of a security incident? Their answer (or silence) tells you a lot, and it starts the due-diligence habit.

THE VENDOR RISK MANAGEMENT KIT

If the quick wins showed you the gap but not the path, the kit gives you a complete vendor-risk program — inventory, risk-tiering, a security questionnaire, and contract/BAA checklists — without buying a six-figure TPRM platform.

WHAT'S INCLUDED IN EVERY KIT
01

Vendor & Third-Party Management Policy

The policy that sets your program: what you require of vendors and how you manage them. Pre-structured; adapt and adopt.

02

Vendor Inventory & Risk Register

A living record of every vendor, the data they touch, their access, and their risk tier — the backbone of the program.

03

Vendor Risk Tiering Matrix

A simple method to tier vendors so your due diligence is proportional to the risk — deepest scrutiny where it matters.

04

Vendor Security Assessment Questionnaire

The due-diligence questionnaire you send to critical vendors, covering their security program, data handling, access, incident response, and compliance.

05

Contract & BAA Terms Checklist

The security, breach-notification, and BAA protections to look for in your agreements — organized so your conversation with counsel is fast and focused.

06

Onboarding & Offboarding Checklist

Step-by-step so every new vendor is assessed and contracted, and every departing vendor’s access and data are cleaned up.

07

Ongoing Vendor Review Log

A schedule and record for re-reviewing vendors by tier — your evidence of an active, ongoing program.

NEED MORE THAN A KIT?

Some vendor portfolios need a program run around them, not a template.

If your Whitestance score flagged Third-Party Risk as a critical gap — or if you have dozens of vendors touching regulated data — a kit gets you a program but a full engagement gets it operated. Whitestance’s fractional CISO engagements build and run your vendor-risk program across your whole environment, chase down the assessments and BAAs, and produce documented evidence your board, auditors, and carriers can see. Engagements start at $40,000 for smaller organizations and scale from there.

Talk to us about a full engagement →