What’s a Third-party Proof Self-assessment?
SaaS providers often have B2B customers and prospects requesting Third-party Proof of Compliance documentation from them on a continual basis. Customers need Third-party Proof from their providers to comply with requirements in compliance frameworks like PCI DSS, GDPR, SSAE 18, HIPAA, and more. For example in PCI DSS v3.2.1 the third-party requirements are 12.8.1-5. This Third-party Proof often takes the form of annual exchanges of Attestation of Compliance and more frequent exchanges of supporting information, like security scan results, on a recurring basis. Most Third-party Proof is also exchanged under an NDA - which also has to be maintained and updated.
There comes a point for most growing SaaS providers when their businesses have scaled to a level at which 1-to-1 manual support for these Third-party Proof requests, related NDAs, and the subsequent flows of recurring data, becomes too costly to maintain without automation.
A Third-party Proof Self-assessment can help determine the current baseline activities, systems, risks, and costs associated with maintaining and exchanging your Third-party Proof, which can then become the basis for improvements.
A Step-by-step Third-party Proof Self-assessment
- Identify all the compliance frameworks that your organization uses (e.g. PCI DSS, HIPAA, GDPR, SSAE 18, FedRAMP, SOX, GBLA, ISO, etc.)
- Identify all the requirements for providing and collecting Third-Party Proof of Compliance within your compliance frameworks
- Estimate time and resources spent on maintaining up-to-date third-party proof for audits, contracts, incident response, and M&A
- Estimate time and resources spent on lapses in third-party proof that required additional incident response, investigations, remediation, or re-negotiation activities
- Assess the costs of your current technologies used in maintaining and exchanging 3PP - whether by email, data-sharing, enterprise systems, or in supporting third-parties
- Assess the percentage of provider, vendor, and B2B customer 3PP communications addressed manually, vs. systematically, and addressed with standard responses vs. customized or 1-to-1 responses
- Evaluate build vs. buy of obtaining specialized automation for publishing and collecting third-party proof
- Record all your data and conclusions in a form useful for later periodic review and improvement
In addition, consider taking the 2018 Third-party Proof of Compliance Survey to organize your facts and obtain the survey results for comparison and bench-marking.