During the Vendor Risk Management process, information is in constant flux. From risk assessments to risk remediation processes, communication involving sensitive security control data continuously flows between an organization and its monitored vendors.
If intercepted, this information stream could be used as open source intelligence for a third-party data breach campaign, nullifying the very efforts a VRM program is trying to mitigate.
Preventing such a devasting event doesn’t need to involve additional costly investments into third-party risk management. It could be easily addressed by integrating an NDA process with your Vendor Risk Management platform.
To learn how to secure to integrate a Non-Disclosure Agreement into your Vendor Risk Management program, read on.
Types of NDAs in Cybersecurity
There are three different types of NDAs in cybersecurity:
- Unilateral NDAs - This is the most popular style of NDA used in Vendor Risk Management where only one party is required to disclose information to another.
Unilateral NDA template.
- Mutual NDA - To be used when sensitive cybersecurity information will be exchanged between both parties. Some VRM-related negotiations will involve diligent vendors requesting cybersecurity information about their prospective partners to mitigate upstream inherent risk transfers.
Mutual NDA template.
- Multilateral NDAs - This type of NDA addresses the requirement of multiple parties disclosing information to another party. Multilateral NDAs are commonly used in complex negotiation and RFP processes.
Multilateral NDA template.
When Should an NDA be Used in the Vendor Risk Management Process?
It’s good practice to activate an NDA policy whenever you’re sharing information about your internal ecosystem. If you’re a third-party vendor, this happens when a risk assessment or security questionnaire is received, which corresponds to the first stage of the VRM lifecycle:
Before vendor onboarding, NDAs should be used with the RFP process to protect the sensitive information commonly shared during this process. Vendors should also stipulate their use of NDAs during vendor risk management in contract negotiations. This will allow prospective business relationships to gauge compatibility with their idea of a streamlined vendor risk assessment process.
Because the introduction of NDAs could slow down a process that’s already vulnerable to delays, they may not be required in all due diligence workflows. For example, a request to access procurement policies may not warrant an NDA since much of this information is usually publicized on a vendor’s website.
To maintain workflow efficiency, the NDA process should ideally be activated when sensitive information is requested, where the degree of sensitivity is determined by the potential value of that information, in the hands of a cybercriminal.
Such a classification system doesn’t need to be complex. It could be as simple as labeling all data mapping that could be used for cyberattack reconnaissance as high-risk. Data classified as high-risk could include inherent risks, security controls, trade secrets, management software, information security, and management systems.
Any data that could assist a data breach should be guarded with confidentiality agreements
Integrating NDAs into a VRM Workflow
An NDA process should be introduced to an existingprocess of sharing security information efficiently. Given the high rate of information exchange in vendor risk management, the ideal process of information sharing should involve a public-facing profile hosting frequently requested cybersecurity information.
Here’s an example template for a Shared Profile:
- Security Ratings: A security rating representing your security posture.
- Security Contact: The contact details of the team or employee responsible for the organization’s cybersecurity.
- Company Description: A summary of what the service provider does.
- Security Questionnaires: A library of completed questionnaires that are commonly requested. Proactively sharing these completed assessments streamlines vendor risk lifecycle management for all involved parties.
- Supporting Documentation: Any cybersecurity documentation that complements vendor risk mitigation efforts. For example, evidence of certifications and regulatory compliance, such as SOC 2 reports, GDPR, and PCI DSS compliance. Also, evidence of exemplary security controls from trusted standards, such as ISO 27001, Zero Trust, NIST 800-53, etc.
In the context of cybersecurity due diligence involving a Share Profile, an NDA process would be the first step in the workflow. Viewers are only granted permission to access a company’s Shared Profile and its sensitive security information after agreeing to the terms of the NDA.
All NDA submissions should be visible to internal legal teams to hold all agreeing parties accountable for their legally binding promises of non-disclosure.
As important as promptly responding to access requests is the ability for organizations to deny or revoke access to a Shared Profile after an NDA submission. Prospects that don’t develop into clients shouldn't maintain access to your security profile, and competitors should never be given access to your Shared Profile.
NDA Protection for Shared Profiles by UpGuard
UpGuard couples an NDA protection feature with its Shared Profile profile feature to give organizations complete control over who accesses their Shared Profile.
To support individual legal requirements, Shared Profile owners can upload their own Non Disclosure Agreement.
With UpGuard’s NDA process, Shared Profile owners can enjoy the following benefits:
- Complete Access Control - Following an NDA submission, organizations can grant, deny, and revoke access to their Shared Profile to mitigate open source intelligence abuse.
- Complete Transparency - All parties have ongoing access to completed NDAs to encourage ongoing acknowledgment of legally binding agreements.
- Streamline VRM Workflow Management - By hosting frequently requested security information on a Shared Profile, organizations and service providers will avoid wasting time answering the same types of security questions.