1. Map your data flow
Prioritize data governance and implement mechanisms for tracking data easily, in both digital or physical formats, by maintaining data records from creation to disposal. Enforce discipline through data ownership and accountability, assigning data custodians, implementing system controls, monitoring, and enforcing security policies as well as data handling procedures and auditing.
2. Assess how third parties safeguard data
Stratify third parties according to risk based on attributes like volume of transactions, regulated data, and data sensitivity type. Take into consideration the impacts of evolving data and privacy laws based on where data is being processed. Conduct assessments and evaluations of these entities and their implemented security controls surrounding the protection of the organization’s information or provided access.
3. Use leading practices and industry standards
Use cybersecurity assessment and ratings services to create risk profiles for third parties. Cyber threat intelligence reports provide benchmarked data across third parties compared to industry leading practices -- and this information could be the basis for creating the risk profiles.
4. Create and stress test a cyber incident playbook
Make your cyber incident response plan consistent with other plans for dealing with threats to business operations. Its components include training the broader company, conducting advance planning and rehearsal, and assigning accountability for communicating with media and stakeholders. You should stress test the plan with realistic scenarios and implement a transparent, interactive customer portal for sharing knowledge and a hotline to answer questions.
