Where are the third (and fourth) parties? The jagged edge of vendor risk management.

In the latest Imprivata Live session, experts from our legal and product teams dive into vendor access risks, as well as strategies and best practices to mitigate them…

A recent Imprivata Live session featured valuable perspective and actionable insights on nuances of the risks stemming from third- and fourth-party vendors. Our ownMaria Phillips,head of the data privacy and AI governance teams, and Russell Dowdell, Sr. Director, Product Management, Privileged Access Security, also highlighted the importance of building a resilient, auditable vendor risk management program; imposing key contractual provisions; and employing access control strategies to bolster cybersecurity. The following is a recap of their discussion.

It's a partnership often accompanied by a leap of faith: every day, organizations give third-party vendors broad access to their networks and sensitive data to help keep the wheels turning. But are the vendors’ security protocols adequate? Are they accountable for their actions? And how do organizations manage these inherent risks?

Further complicating the supply chain security equation are vendors’ vendors – fourth-party subcontractors and other service providers. It all adds up to a great deal of uncertainty driven by hidden risk exposure that can impact an organization’s operations, compliance, reputation, and bottom line. Here’s a closer look at the issue outlining best practices for vendor and risk management.

Build a third-party risk management program

Establishing an effective third-party risk management (TPRM) program starts with stepping back and considering your environment. Whether it involves hardware, software, on-premise, or cloud-based, any vendor or supplier accessing your environment can introduce risk. The foundation of a TPRM program lies in following the data. This means mapping out your systems, defining what data flows through them, the people who need access, retention, and identifying what type of assessment is necessary based on your industry, data volume and sensitivity, as well as regulatory exposure and risk tolerance.

Start with due diligence, compliance, and documentation

A vital next step is due diligence, tailored to your business model, risk tolerance, and regulatory environment. Lay the groundwork by documenting your compliance standards so you can determine both internal and external obligations.

For example, less-regulated sectors may worry more about reputational damage and less about compliance fines. On the flip side, highly regulated industries like healthcare or finance must adhere to strict compliance standards. In these instances, proper accessible documentation of both your internal standards and third-party certifications (e.g., SOC 2 Type 2, ISO 27001/27701, or ISO 42001 for AI) is essential.

Set legal and contractual expectations

A critical element in vendor access management is establishing strong contracts, particularly with pass-through obligations. That involves ensuring your third party imposes your security requirements on their vendors (your fourth parties). This can include standards like encryption protocols, data governance and management, IAM and RBAC, and breach notification timelines.

Many organizations stop at the third-party layer because of limited capacity and resources to conduct fourth-party diligence. That’s why contracts must clearly assign this responsibility to the third party. Legal clauses should address audit rights, limitation of liability, and indemnity. And it's important not to accept vague promises or inflated insurance coverage without confidence they’re enforceable. Risk-based contract tailoring is vital, especially when sensitive data is involved.

Avoid the checkbox mentality

A common pitfall is treating compliance as a checkbox exercise. Risk should be assessed pragmatically — based on necessity, not convenience. Critical vendors often require deeper access to systems and data, which increases your exposure. Vendors must justify their access: what data, for what purpose, for how long. Access requests must align with actual need, not hypothetical convenience or future potential.

Instill better access controls (beyond VPN)

Traditionally, VPNs granted broad access to third parties. While this is fading, many still operate with outdated access practices. Access should be purpose-driven and time-bound. In addition, contracts must include audit clauses, and regular audits are essential to ensure vendors meet agreed standards not just initially, but throughout the relationship.

Contract audit clauses are important, as well as the need to move past the ‘trust but verify’ concept to a Zero-Trust approach. You have to know for certain that vendors are adhering to the agreed security standards.” 

—Maria Phillips, head of the Imprivata data privacy and AI governance teams

As part of that, limitation of liability clauses protect you in case of a catastrophic failure. For instance, a vendor managing HR or PHI data has vastly different liability implications than a soda machine supplier. Indemnity is another key clause — vendors who won't stand behind their product or service raise red flags and erode confidence.

Get the full picture with data mapping and inventory management

Data maps and inventories are key operational building blocks in a TPRM program. It’s all about having a handle on questions including: Do you know what data is collected? Why? Where it’s going? Who’s accessing it and how? Where is it being stored? When is it being downloaded? For how long?

In addition, with today’s hybrid environments, data may reside in cloud systems, on personal devices, or in external tools. That complicates things, because if something happens and you’re investigating, it’s not unusual to find that the width and breadth of the issue are a lot bigger than expected. The bottom line is that misplaced or untracked data expands your risk landscape and complicates incident or breach response.

Control access with precision

Access control must be exercised through whitelist and blacklist models, with a focus on minimum necessary access. What access does someone really need? What’s absolutely required to accomplish a task or optimize a workflow? Use such considerations as a basis to define access permissions and term limits.

As part of that, keep in mind that third parties often over-request access, leading to excessive permissions and liability. Push back and enforce least-privilege access policies. If vendors understand the legal and risk implications of broader access, they’re often more willing to limit their exposure.

Audit and monitor third-party access

Audit trails are crucial pieces of a robust monitoring program. Every third-party session must be linked to a named identity, not a generic shared account. Logs should capture who got in, what they did, why, when, and whether any data was pulled or changed. This allows for a clear picture of what went wrong, enabling full traceability, while supporting incident response and accountability.

In the end, true TPRM maturity comes from not just collecting audit logs, but actively conducting audit monitoring and acting on insights. It completes the loop: you have contracts, vendor access controls, and you can verify compliance throughout the relationship. And it’s important to ensure you take a risk-based approach to access management that’s pragmatic. That means setting priorities and focusing on the most pressing problems.

Take a risk-based approach, and don’t try to solve things all at once. Prioritize – identify the highest-risk vendor, solve for that, and then work your way down.

—Russell Dowdell, Imprivata Sr. Director, Product Management, Privileged Access Security

Manage offboarding and inactive accounts

It’s not uncommon for breaches to result from dormant accounts left open after offboarding. Given that, it’s important to ensure access expires with the contract or due to inactivity. This requires fail-safes and automation capabilities, including setting access expiration dates that synch with contract timelines. If a contract is renewed, update access accordingly. If it ends, remove all access — even if it means getting a call later to reinstate it. That’s better than leaving the door open for years.

Vendor risk management: four key takeaways

1. Follow the data and the parties that have access to it: Identify where sensitive data flows and who touches it. That’s where risk lives.
2. Know your asset and system landscape: Maintain a current inventory of vendors, data, and systems.
3. Take a risk-based approach to access management: Triage efforts based on exposure and business impact. Focus on high-risk vendors first.
4. Adopt a Zero-Trust mindset: Trust but verify is outdated — assume Zero Trust. Monitor every action, ensure accountability, and make sure you can act quickly if needed.

For further insight, check out the on-demand video of the discussion on LinkedIn. Learn more about how vendor privileged access management solutions can safeguard your most sensitive data.