Good third-party risk management is required by the EU's Digital Operational Resilience Act (DORA). Effective third-party risk management is one of DORA's foundational pillars.
Managing Third-Party Risks at Toqio
To manage third-party risks effectively, Toqio follows a structured assessment process.
Initial Evaluation
Before integration work begins, Toqio conducts an evaluation of the integrator's security measures. This assessment involves answering a detailed questionnaire covering technical, procedural, and compliance aspects. The integrator must provide written answers and relevant compliance evidence. The risk level of the integration is determined based on these responses.
Example Questionnaire
| Code | Question | Procedure | Required Evidence |
|---|---|---|---|
| 1 | Does the integrator have an Information Security Policy (ISP)? | Develop and review an ISP outlining security guidelines. | Clear ISP documentation that respects confidentiality agreements. |
| 2 | Does the integrator have an Incident Management Plan/Procedure (IMP)? | Implement an IMP defining incident types, roles, responsibilities, and containment procedures. | IMP documentation. |
| 3 | Is the integrator PCI-DSS compliant? | Required for managing cardholder data. | PCI-DSS compliance certificate. |
| 4 | Is the integrator ISO 27001 certified? | Implement an Information Security Management System (ISMS). | ISO 27001 certificate. |
| 5 | Is the integrator compliant with the EU DORA Act? | Follow DORA requirements for ICT incident management. | Documentation demonstrating DORA compliance. |
| 6 | Is the integrator GDPR compliant? | Implement GDPR-compliant data protection measures. | Explanation and documentation of GDPR compliance. |
| 7 | Does the integrator manage personal information? | Must be GDPR-compliant with proper security measures. | Disclosure of managed personal information categories. |
| 8 | Does the integrator have servers within the EU? | GDPR compliance requires EU-based servers. | Disclosure of server locations. |
| 9 | Are integrator communications encrypted? | Use secure encryption protocols for data transmission. | Encryption policy documentation. |
| 10 | Is integrator data encrypted at rest? | Use strong encryption standards and key management. | Encryption policy documentation and audit reports. |
| 11 | Does the integrator have a User Management Policy (UMP)? | Secure user authentication and management practices. | Documentation of user access management. |
| 12 | Does the integrator have a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)? | Regular testing and updating of BCP and DRP. | Up-to-date BCP and DRP documentation. |
| 13 | Does the integrator have a security training program? | Regular training on security best practices. | Training policy and completion records. |
| 14 | Does the integrator perform regular penetration tests? | Identify and mitigate vulnerabilities. | Penetration testing reports. |
| 15 | How does the integrator manage other integrators and subcontractors? | Maintain high standards for third-party practices. | Contracts, risk assessments, and performance monitoring. |
| 16 | Does the integrator perform and securely store data backups? | Regular backups and secure storage procedures. | Backup policy documentation and logs. |
| 17 | Does the integrator ensure secure coding practices? | Implement secure coding policies and training. | Secure coding policy and training records. |
| 18 | Does the integrator use firewalls and intrusion detection/prevention systems (IDS/IPS)? | Robust security monitoring and blocking unauthorized access. | Documentation of firewall and IDS/IPS configurations. |
| 19 | Does the integrator regularly conduct vulnerability scanning? | Identify and remediate vulnerabilities. | Vulnerability scanning policy and reports. |
| 20 | Does the integrator apply security patches and updates appropriately? | Effective patch management procedures. | Patch management documentation. |
| 21 | Does the integrator implement network segmentation? | Define security zones and configure VLANs/firewalls. | Documentation on network segmentation. |
| 22 | Is the integrator performing an annual risk assessment? | Annual risk assessment for compliance. | Risk assessment documentation. |
| 23 | Does the integrator have a risk management framework? | Required for DORA compliance. | Risk management framework documentation. |
Annual Review
Once integrated, integrators must annually update their responses to the security questionnaire. Additionally, depending on the integration and legal requirements, an annual formal risk assessment using recognized frameworks (e.g., Magerit, Octave, NIST) may be required. The integrator must share the results with Toqio for compliance and auditing purposes.
Toqio maintains documentation history for audit evidence as needed.