Auditing Third Parties
Many organisations use 'third party' organisations to process data on their behalf. These organisations may be used for the outsourcing of payroll, systems development team, HR functions or call centre activities among other purposes. One of the main concerns in these scenarios is assessing how well the third party is handling the data provided and whether it is managing data in line with expectations and with appropriate security
URM can manage a security audit programme for all of an organisation's third parties, checking whether they are managing and securing data to the expected standards or organisational requirements. These standards can be internally set or may relate to the relevant international standard such as ISO 27001. URM also can assess whether third parties are complying with legislation such as the Data Protection Act 1998.
URM can deliver full lifecycle services associated with the audit programme including follow up actions to ensure third parties continue to meet the organisation's expectations and requirements. URM has specialist CISA, ISO 27001, BS 25999 auditors in house who are able to assist in providing reassurance that data is being appropriately managed when outside an organisation's boundary. Where organisations provide credit card details to third party organisations, URM can assess their compliance against the Payment Card Industry Data Security Standard (PCI DSS)
Typical questions that URM will ask of third parties include:
- Who at the third party is able to access the information?
- What are the risks to the information?
- How is the information protected logically?
- What physical protection is in place to protect customer information?
- How and where is the information stored, backed up and removed when all requirements have been completed?