Supply Chain Risk Management

NIST 800-53 Rev. 5 Compliance Checklist

NOVEMBER 2019
NIST COMPLIANCE CHECKLIST

Effective Supply hain Risk Management

Draft National Institute of Standards and echnology NIS Special ublication
Rev Security and rivacy ontrols for Information Systems and rgani ations

NIST 800-53 details security and privacy controls for federal information systems and
organizations. Industries and organizations across the private sector widely-accept
and rely on NIST publications. Although NIST 800-53 Rev. 5 is still in the draft stage,
organizations should future-proof their supplier risk processes by examining the
publication’s relevant controls.

DISCLAIMER

No part of this document may be reproduced in any form

without the written permission of the copyright owner.

The contents of this document are subject to revision without notice due to continued
progress in methodology, design, and manufacturing. OneTrust LLC shall have no
liability for any error or damage of any kind resulting from the use of this document.

OneTrust products, content and materials are for informational purposes only and not
for the purpose of providing legal advice. You should contact your attorney to obtain
advice with respect to any particular issue. OneTrust materials do not guarantee
compliance with applicable laws and regulations.

Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.

NIST COMPLIANCE CHECKLIST | 2

NIST COMPLIANCE CHECKLIST

S IN RIS M N EMEN N YES N

1. Have you developed a plan for managing supply chain risks associated
with the development, acquisition, maintenance, and disposal of systems,
system components, and system services?

2. Have you implemented the supply chain risk management

plan consistently across the organization?

3. Do you review and update the supply chain risk management

plan according to an established timeline or as required,
to address organizational changes?

S IN RIS M N EMEN YES N

1. Do you use specific supply chain safeguards to protect against
supply chain risks to your systems, system components, or system
services, to identify risks, and to limit the harm or consequences
from supply chain-related events?

2. Do you review the supply chain-related risks associated with suppliers

or contractors and the system, system component, or system service
they provide on an established timeline?

3. Do you use defined safeguards to limit harm from potential

adversaries identifying and targeting the organizational supply chain?

4. Do you evaluate the system, system component, or system

service prior to selection, acceptance, modification, or update?

5. Do you use intelligence from every available

source to assist in the analysis of supply chain risk?

6. Do you employ specifically-defined Operations Security (OPS C)

safeguards to protect supply chain-related information for the system,
system component, or system service?

7. Do you employ specifically-defined security safeguards

to validate that the system or system component received
is genuine and has not been altered?

8. Do you employ organizational analysis, independent third-party analysis,

organizational penetration testing, or independent third-party penetration
testing of specifically-defined supply chain elements, processes, and
actors associated with the system, system component, or system service?

NIST COMPLIANCE CHECKLIST | 3

NIST COMPLIANCE CHECKLIST

YES N
9. Have you established agreements and procedures with entities involved in
the supply chain for the system, system component, or system service for
the notification of supply chain compromises results of assessments or
audits or other specific information?

10. ave you established and do you maintain unique identification of

specifically-defined supply chain elements, processes, and personnel
associated with the specifically-defined system or critical system
components?

11. Have you established a process or processes to address weaknesses

or deficiencies in supply chain elements in coordination with specific
supply chain personnel?

12. Do you document, monitor, and maintain valid provenance

of specific systems, system components, and associated data?

13. Do you document the selected and implemented supply chain safeguards
in security and privacy plans or supply chain risk management?

E ERN ERS NNE SE RI YES N

1. Have you established personnel security requirements including
security roles and responsibilities for external providers?

2. Do you require external providers to comply with your

established personnel security policies and procedures?

3. Do you document personnel security requirements?

4. Do you require external providers to notify specific personnel

or roles of any personnel transfers or terminations of external
personnel who possess organizational credentials and/or badges,
or who have system privileges within a certain time-period?

5. Do you monitor external providers’ compliance

with the established security policies and procedures?

NIST COMPLIANCE CHECKLIST | 4

NIST COMPLIANCE CHECKLIST

EXTERNAL SYSTEM SERVICES YES N

1. Do you require that providers of external system services
comply with organizational security and privacy requirements
and employ your security and privacy controls?

2. Do you define and document organizational oversight and user

roles and responsibilities with respect to external system services?

3. Do you employ specific processes, methods, and techniques

to monitor security and privacy control compliance by external
service providers on an ongoing basis?

4. Do you conduct an organizational assessment of risk prior to

the acquisition or outsourcing of information security services?

5. Do you verify that the acquisition or outsourcing of dedicated

information security services is approved by specific personnel or roles?

6. Do you require providers of specific external system services

to identify the functions, ports, protocols, and other services
required for the use of such services?

7. Do you establish, document, and maintain trust relationships with external

service providers based on specific security and privacy requirements,
properties, factors, or conditions defining acceptable trust relationships?

8. Do you take specific actions to verify that the interests of certain external
service providers are consistent with and re ect organizational interests?

9. Do you restrict the location of information processing

information or data system services to certain locations
based on specific requirements or conditions?

NIST COMPLIANCE CHECKLIST | 5

NIST COMPLIANCE CHECKLIST

RIS SSESSMEN
1. Do you conduct a risk assessment, which covers
the likelihood and magnitude of harm, from:
YES N

• The unauthorized access, use, disclosure, disruption, modification,

or destruction of the system, the information it processes, stores,
or transmits, and any related information and

• Privacy-related problems for individuals arising from the

intentional processing of personally identifiable information

2. Do you integrate risk assessment results and risk management

decisions from the organization and missions/business process
perspectives with system-level risk assessments?

3. Do you document risk assessment results in security and privacy plans

risk assessment reports or another organization-specific document?

4. Do your risk assessments address risk from external parties including,

for example, individuals accessing organizational systems contractors
operating systems on behalf of the organization service providers and
outsourcing entities?

5. Do you evaluate supply chain risks associated with

specific systems, system components, and system services?

6. Do you update the supply chain risk assessment on a set frequency,

when there are significant changes to the relevant supply chain,
or when changes to the system, environments of operation, or other
conditions may necessitate a change in the supply chain?

IN IDEN ND IN ND RE R IN YES N
1. Do you coordinate incident handling activities involving supply
chain events with other organizations involved in the supply chain?

2. Do you provide security and privacy incident information to the provider

of the product or service and other organizations involved in the supply
chain for systems or system components related to the incident?

NIST COMPLIANCE CHECKLIST | 6

NIST COMPLIANCE CHECKLIST

IN IDEN RES NSE SSIS N E YES N

1. Have you established a direct, cooperative relationship
between your incident response capability and external
providers of system protection capability?

2. ave you identified organizational incident response

team members to the external providers?

IN IDEN RES NSE N YES N

1. Does your incident response plan address the coordination
and sharing of information with external organizations,
such as external service providers involved in the supply chain?

RI RI I N IN RM I N
YES N
S RIN I E ERN R IES
1. Do you develop, document, and disseminate guidelines to specific
personnel or roles for the sharing of personally identifiable information
externally, only for the authorized purposes identified in an applicable
privacy law and/or described in its notices, or for a purpose that is
compatible with those purposes?

2. Do you evaluate proposed new instances of sharing personally

identifiable information with external parties to assess whether YES N
• The sharing is authorized and

• Additional or new public notice is required

3. Do you enter into information sharing agreements

with external parties that specifically YES N
• Describe the personally identifiable information covered

• numerate the purpose(s) for which the personally

identifiable information may be used and

• Include security requirements consistent

with the information being shared and

4. Do you monitor and audit the authorized sharing of

personally identifiable information with external parties?

NIST COMPLIANCE CHECKLIST | 7

NIST COMPLIANCE CHECKLIST

RIS M N EMEN S R E YES N

1. Have you developed a comprehensive strategy to manage,
among other things, supply chain risks associated with
the development, acquisition, maintenance, and disposal
of systems, system components, and system services?

2. Have you implemented the risk management

strategy consistently across the organization?

3. Do you review and update the risk management strategy according

to a set timeline or as required, to address organizational changes?

N IN EN N YES N
1. Do you coordinate your contingency plan with external
service providers’ contingency plans to ensure that
contingency requirements can be satisfied?

E E MM NI I NS SER I ES YES N
1. Do you obtain alternate telecommunications services from
providers that are separated from primary service providers
to reduce susceptibility to the same threats?

2. Do you require primary and alternate telecommunications

service providers to have contingency plans?

3. Do you review telecommunications service provider contingency plans

to ensure that the plans meet organizational contingency requirements?

4. Do you obtain evidence of contingency testing and

training by providers according to a set time period?

SER I E IDEN I I I N ND EN I I N YES N

1. Do you ensure that service providers receive, validate, and transmit
identification and authentication information (before establishing
communications with devices, users, or other services or applications)?

2. As part of a comprehensive incident response capability, do you consider

the coordination and sharing of information with external service providers
and organizations involved in the supply chain for organizational systems?

NIST COMPLIANCE CHECKLIST | 8

Take Your
Next Steps with

If you find yourself selecting N more than a few times for the questions above
you re not alone

ne rust endorpedia is here to help. Around the world, organizations like yours use OneTrust Vendorpedia to help with the
implementation of controls for NIST 800-53. Our team of experts have analyzed the NIST controls and designed a purpose-built
platform to overcome common supply chain and third-party risk challenges.

Want to learn more about how OneTrust Vendorpedia can help your organization with NIST 800-53? Schedule a demo today
Processor Risk Management
GDPR-Ready Compliance Checklist

NOVEMBER 2019
GDPR-READY CHECKLIST

Effective rocessor Risk Management

The U’s eneral Data Protection Regulation ( DPR) specifies requirements that
you must follow when using processors (i.e. third parties, suppliers, etc.), as well as
outlines record keeping stipulations related to third-party recipients of personal data.
Maintaining records to demonstrate accountability and compliance with the DPR’s
requirements is critical to success.

This checklist outlines the DPR’s key provisions that relate to your organization’s
processors, or your organization’s other third-party related risks. Answer below to find
out if your program is ready for DPR compliance.

DISCLAIMER

No part of this document may be reproduced in any form

without the written permission of the copyright owner.

The contents of this document are subject to revision without notice due to continued
progress in methodology, design, and manufacturing. OneTrust LLC shall have no
liability for any error or damage of any kind resulting from the use of this document.

OneTrust products, content and materials are for informational purposes only and not
for the purpose of providing legal advice. You should contact your attorney to obtain
advice with respect to any particular issue. OneTrust materials do not guarantee
compliance with applicable laws and regulations.

Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.

GDPR-READY CHECKLIST | 2
GDPR-READY CHECKLIST

Information and access to personal data

YES NO
1. Does your organization document the recipients or categories of
recipients of personal data, if any, so that it can provide data sub ects
with that information at the time of directly collecting their personal data?

Note: ‘Recipient’ means a person, public authority, agency or another body,

whether a third party or not, to which your organization discloses personal data.

2. Where your organization does not directly collect

data from the data sub ect, does it document

• The recipients or categories of recipients of personal data,

if any, so that your organization can provide data sub ects
with that information

• The recipients in a third country or an international organization

to whom it intends to transfer personal data, along with the lawful
mechanism it will use to do so

• The latest point in time when the personal data

are first disclosed to another recipient, if any

Data Subject Access Rights YES NO

1. Does your organization maintain records on the recipients or categories
of recipients to whom it has or will disclose personal data, in particular
recipients in third countries or international organizations?

2. Does your organization have the capability and procedures in place to

communicate any data sub ect request to rectify or erase personal data,
or to restrict processing of that data, to each recipient to whom you have
disclosed that data sub ect’s personal data?

3. If the notification obligation regarding rectification, erasure, or restriction

of processing is impossible or involves disproportionate effort, does your
organization

• Document the ustification for why the notification

obligation is impossible or disproportionate

• ave the ability to provide the data

sub ect with the recipients’ identities

GDPR-READY CHECKLIST | 3
GDPR-READY CHECKLIST

Processors
Note: ‘processor’ means a natural or legal person, public authority, agency
or other body which processes personal data on your organization’s behalf.

General
YES NO

1. Is the processor established in the U?

2. If the processor is not established in the U, has

it designated, in writing, a representative in the U?

3. Depending on the type of processing, has the processor

designated a data protection o cer (DPO)?

4. If the processor has appointed a DPO, does your

organization ensure that the processor

• Involves the DPO in all issues related to personal data

• Supports the DPO in performing its tasks by providing resources

necessary to carry out those tasks and access to personal data and
processing operations, and to maintain the DPO’s expert knowledge

• Does not instruct the DPO on how to perform

its tasks required by the DPR

• does not dismiss or penalize the DPO for performing its tasks.

5. Do you have contracts or procedures in place to ensure that the

processor, and any person acting under the processor’s authority,
does not process personal data except pursuant to your organization’s
instructions, unless required to do so by U or Member State law?

6. Does the processor adhere to an approved code of conduct, or

approved data protection certification mechanisms, seals or marks,
to demonstrate the existence of appropriate safeguards?

. Does the processor understand its obligation to

cooperate with the supervisory authority upon request?

. efore engaging in a processing activity with a processor that will likely

result in a high risk to data sub ects’ rights and freedom, does your
organization carry out a data protection impact assessment?

GDPR-READY CHECKLIST | 4
GDPR-READY CHECKLIST

Contractual Matters YES NO

1. Does your organization obtain su cient guarantees from the processor
that it has implemented, or will implement, appropriate technical and
organizational measures in such a manner that the processing will satisfy
the DPR’s requirements and protect the data sub ect’s rights?

2. Did your organization enter into a binding contract with the processor
(or other legal act under U or Member State law) that establishes the
sub ect-matter and duration of the processing, the nature and purpose
of the processing, the type of personal data and categories of data
sub ects, and your organization’s rights and obligations?

3. Does the contract stipulate that the processor must

• Process personal data only according to your organization’s

documented instructions, including with respect to transfers of
personal data to a third country or international organization,
unless required to do so by U or Member State law

• Notify you in the event that it must process data

pursuant to U or Member State law

• nsure that persons authorized to process personal

data are sub ect to confidentiality agreements

• Cooperate with the supervisory authority

• Notify your organization about the use of subprocessors

and extend the same contractual data protection
obligations to such subprocessors

• Assist your organization with appropriate technical

and organizational measures to fulfill your obligation
to respond to data sub ects’ rights requests

• elp your organization achieve compliance

with the DPR’s data security requirements

• Delete or return all personal data to your organization upon

completion of the processing services according to your demand

• Make available to you all information necessary

to demonstrate compliance with the DPR and
allow for and contribute to audits, conducted by your
organization or an auditor your organization appoints

4. Is the contract in writing, including in electronic form?

GDPR-READY CHECKLIST | 5
GDPR-READY CHECKLIST

Subprocessors YES NO
1. Does your organization contractually prohibit the processor from
engaging another processor without obtaining your prior specific or
general written authorization?

2. In the case of a general written authorization, does your organization

contractually require the processor to inform you of any intended
changes concerning subprocessors, so that you have the opportunity to
ob ect?

3. Does your organization contractually require the processor to impose

the same data protection obligations (as set forth in your contract with
the processor) to its own processors (i.e. subprocessors)?

Records YES NO
1. Does the processor maintain a record of all categories of
processing activities carried out on your organization’s behalf?

2. Does the processor understand its obligation to, and have the ability
to, provide such records to a supervisory authority upon request?

3. Are both your organization’s and your processor’s

records in writing, including in electronic form?

Security YES NO
1. Does the processor implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk?

2. as the processor taken steps to ensure that any person acting under
its authority who has access to personal data does not process that data
except according to your organization’s instructions, or as required by U
or Member State law?

3. Does the processor understand its obligation to, and have the ability to,
notify you, without undue delay, after becoming aware of a data breach?

International and Cross-border Transfers YES NO

1. If the processor transfers personal data to countries outside of the
U or to international organizations, does it do so pursuant to a
lawful mechanism, including, but not limited to, an adequacy decision,
standard data protection clauses, binding corporate rules, an approved
certification mechanism or code of conduct, or a specified derogation?

GDPR-READY CHECKLIST | 6
Take Your
Next Steps with

If you find yourself selecting “NO” more than a few times for the questions above you re not alone

OneTrust Vendorpedia is here to help. Around the world, organizations like yours use OneTrust Vendorpedia to help
demonstrate compliance with the DPR. Our team of experts have analyzed the requirements of the DPR and designed a
purpose-built platform to address compliance and overcome processor-related challenges.

Want to learn more about how OneTrust Vendorpedia can help your organization demonstrate compliance with the DPR?
Schedule a demo today!
Supplier Risk Management
ISO-Ready for ISO 27001, 27002, and 27701
Compliance Checklist
NOVEMBER 2019
ISO-READY CHECKLIST

Effective Supplier Risk Management

ISO 27001, 27002, and 27701 set forth internationally-accepted and trusted controls
for, among other things, managing suppliers, processors, and other service providers.
Proper adherence to these controls can help your organization succeed across
geographies and industries.

The following checklist outlines ISO 27000’s key provisions related to supplier,
processor, and service provider risk management. Answer below to find out if your
third-party risk program is well equipped to meet the controls as documented in
ISO 27001, 27002, and 27701.

Note: Some of the questions within the checklist may not apply to your organization.
Please skip these questions as necessary.

DISCLAIMER

No part of this document may be reproduced in any form

without the written permission of the copyright owner.

The contents of this document are subject to revision without notice due to continued
progress in methodology, design, and manufacturing. OneTrust LLC shall have no
liability for any error or damage of any kind resulting from the use of this document.

OneTrust products, content and materials are for informational purposes only and not
for the purpose of providing legal advice. You should contact your attorney to obtain
advice with respect to any particular issue. OneTrust materials do not guarantee
compliance with applicable laws and regulations.

Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.

ISO-READY CHECKLIST | 2
ISO-READY CHECKLIST

SUPPLIERS

General YES NO
1. Do you have policies and mechanisms to
monitor suppliers’ physical or logical access?

Information Security
YES NO
1. Do you identify, define, and document the information security
controls necessary for mitigating the risks associated with supplier
access to your information assets and require the supplier to
implement appropriate controls?

2. Do your agreements with suppliers establish the relevant information

security requirements for each supplier that may access, process,
store, communicate, or provide IT infrastructure components for,
your information?

• Note that such requirements should include, among others, applicable

legal and regulatory obligations, including data protection; information
security policies; and incident management requirements and procedures.

3. Do your contracts with suppliers address information security

requirements relevant to information and communications
technology services?

• Note these requirements include, among others, mandating subcontractors

in the supply chain to meet the information security requirements.

4. Do your agreements indicate whether a supplier will process personal data

and the minimum technical and organizational measures the supplier must
implement so that you satisfy your information security and data protection
obligations?

5. Do your agreements with a supplier that processes personal data

on your behalf stipulate that the supplier will only process such
data according to your instructions?

ISO-READY CHECKLIST | 3
ISO-READY CHECKLIST

Supplier Service Delivery Management YES NO

1. Do you have policies and procedures to regularly monitor, review, and
audit supplier service delivery in order to ensure that the supplier is
meeting the agreement’s information security terms and conditions?

2. Do you have procedures to manage changes made in supplier services?

• Note that such changes may include, among others, the adherence to
information security processes and controls, as well as suppliers’ use
of new technologies or subcontractors.

OUTSOURCED SERVICES OR DEVELOPMENT

Network Security YES NO

1. Do your contracts with outsourced network services include security
mechanisms, service levels, and management requirements?

Development Security

1. Where you outsource development, does the external party ensure

that it complies with the rules for secure development of software
and systems (e.g., secure programming and coding practices)?

2. Do your contracts require outsourced information systems

suppliers to establish and implement security engineering
principles that meet your own?

3. Do you require outsourced information systems to adhere

to data protection by design and by default principles?

4. Do you supervise and monitor any outsourced system development

activities, such as to ensure compliance with applicable laws and to
obtain evidence of appropriate levels of security and privacy quality?

ISO-READY CHECKLIST | 4
ISO-READY CHECKLIST

EXTERNAL PARTIES YES NO

1. Do you publish and communicate your
information security policies to external parties?

2. Do your contracts with external parties:

YES NO
• require such parties to return your
assets upon terminating the agreement

• ensure the secure transfer of business information

• include a confidentiality or non-disclosure

agreement to protect your information

3. Do you have procedures in place to remove external parties’

access rights to information and information systems?

THIRD PARTIES AND PROCESSORS YES NO

1. Do you have appropriate security and privacy controls in
place when transmitting personal data to third parties?

2. Do you maintain records of personal data transfers to third parties and

ensure that they cooperate in fulfilling data protection obligations?

3. Do you maintain records of personal data disclosures to third parties,

including the type of personal data, the identity of the third party,
and the time of the disclosure?

4. Do you have procedures and mechanisms for informing third parties with
whom you have shared personal data of any modification, withdrawal, or
objections relating to the personal data?

5. Do you have policies and mechanisms to record

whether the third parties received the information?

6. Do you have written contracts with processors that require the processors
to implement the applicable controls related to the protection of personal
data in Annex B of ISO 27701?

• Note that Annex B defines controls related to lawful processing; obligations

to data subjects; data protection by design and by default; and the lawful
and documented sharing, transfer, and disclosure of personal data to other
jurisdictions or third parties (e.g., subprocessors).

ISO-READY CHECKLIST | 5
Take Your
Next Steps with

Did you find yourself selecting “NO” more than a few times for the questions above?
You’re not alone.

OneTrust Vendorpedia is here to help. Around the world, organizations like yours use OneTrust Vendorpedia to
help meet ISO 27001, 27001, and 27701 requirements. Our team of experts have analyzed the ISO obligations
and designed a purpose-built platform to address compliance and overcome common third-party risk challenges.

To learn more about how OneTrust Vendorpedia can help your organization, schedule demo today!
Service Provider and Third-Party Risk
CCPA-Ready Compliance Checklist

NOVEMBER 2019
CCPA-READY CHECKLIST

Effective hird arty and Service rovider Risk Management

Under the California Consumer Privacy Act (CCPA), many requirements clearly indicate
the need for an effective third-party risk management (TRPM) program. With respect
to third-party risk, the law recognizes, and places obligations on, service providers—
entities that process consumers’ personal information (PI) on the business’s behalf—
and third parties—entities to whom the business shares or sells PI but do not directly
collect PI from consumers. In particular, the law emphasizes several key matters, such
as contractual requirements and a consumer’s right to opt-out of the sale of personal
information. Maintaining records is critical to your organization’s CCPA success.

This checklist outlines the CCPA’s key provisions that relate to third-party risk. Answer
the questions on the following pages to find out if your TPRM program is ready for
CCPA compliance.

DIS IMER

No part of this document may be reproduced in any form

without the written permission of the copyright owner.

The contents of this document are subject to revision without notice due to continued
progress in methodology, design, and manufacturing. OneTrust LLC shall have no
liability for any error or damage of any kind resulting from the use of this document.

OneTrust products, content and materials are for informational purposes only and not
for the purpose of providing legal advice. You should contact your attorney to obtain
advice with respect to any particular issue. OneTrust materials do not guarantee
compliance with applicable laws and regulations.

Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.

CCPA-READY CHECKLIST | 2
CCPA-READY CHECKLIST

Service Providers YES NO

1. Do you maintain records of each service provider
and the categories of PI disclosed to them?

Note: This checklist assumes that you disclose PI

to a service provider to process PI on your behalf.

Contracts YES NO

1. Do you conduct due diligence on potential service

providers prior to entering into a contract?

2. Do you re-evaluate service providers on at least an annual basis?

3. Do you and your service provider have a written contract that prohibits the
service provider from retaining, using, or disclosing the PI for any purpose
other than for the specific purpose of performing the services specified in
the contract, or as otherwise permitted by the CCPA?

4. Does the contract require the service provider

to help cure a violation of the CCPA?

5. Does the contract require the service provider to notify you,

without unreasonable delay, upon experiencing a data breach?

6. Does the contract require the service provider to protect the PI disclosed
to it by implementing and maintaining reasonable security procedures
and practices appropriate to the nature of the information?

onsumer Rights YES NO

1. Does the contract require the service provider to
delete a consumer’s PI when you direct it to do so?

2. Does the contract obligate the service provider to assist you

in complying with a consumer’s request to know / to disclose
the PI collected, shared, or sold?

3. Do you have processes in place that enable you to notify

a service provider when consumers exercise a right?

CCPA-READY CHECKLIST | 3
CCPA-READY CHECKLIST

Third Parties YES NO

General

1. Do you document each third party, and categories of

third parties, to whom you disclose and/or sell consumer PI?
Note: The CCPA broadly defines “sale” to include the exchange
of PI for monetary or other valuable consideration

2. Do you document the categories of PI you

disclose and/or sell to each third-party?

3. Do you document the business or commercial

purpose of the data exchange with each third-party?

4. Do you maintain records of third-party data exchanges in

the preceding 12 months, including the category(ies) of PI?

onsumer Rights
YES NO
1. Right to Disclosure / to Know

• Do you have accurate records of third-party data exchanges so

that you can disclose to consumers the categories of PI sold and
the categories of third parties to whom you have sold that PI?

2. Right to Opt-out / Do Not Sell My PI

• Do you provide a third-party with (i) confirmation that you

gave a consumer proper notice and the right to opt-out,
and (ii) a signed attestation describing the notice, along
with an example of the notice?

• If so, do you have processes in place that

guarantee the accuracy of the attestation?

• Are you able to cease selling a consumer’s

PI no later than 15 days after receipt of the
consumer’s request to opt-out of the sale of PI?

• Upon receipt of a consumer’s request to opt-out of

the sale of PI, do you have processes in place to notify
a third-party of the consumer’s request and to instruct
the third-party not to further sell that consumer’s PI?

• Do you maintain records of third parties to whom you

have sold a consumer’s PI within the 90 days prior
to the consumer’s opt-out request?

CCPA-READY CHECKLIST | 4
Take Your
Ne t Steps with

Did you find yourself selecting “NO” more than a few times for the questions above?
You’re not alone.

OneTrust Vendorpedia is here to help. Around the world, organizations like yours use OneTrust Vendorpedia to help
demonstrate compliance with the CCPA. Our team of experts have analyzed the requirements of the CCPA and designed
a purpose-built platform to address compliance and overcome common service provider and third-party risk challenges.

To learn more about how OneTrust Vendorpedia can help your organization, schedule demo today!
DATASHEET

bout ne rust endorpedia

Intelligence and utomation to Scale Supply hain Risk Management

SSESSMEN S D E DI I EN E
Clarity at Every Stage of the Vendor Engagement Lifecycle,
from Onboarding to Offboarding
• Onboarding Automation, Faster Assessments, Dozens of Templates
• Flexible Reports, Visual Dashboards, 360° Third-Party Visibility
• Mitigation Work ows, Centralized Vendor Risks, Out-of-the- ox Controls

RIS E N E
Thousands of Detailed Vendor Profiles and
Pre-Completed Risk Assessments, Updated Daily
• Risk & Performance Monitoring, Alerts and Evergreen Vendor Data
• Supplier Profiles, Product- evel ranularity, In-Depth Risk Research
• Pre-Completed Assessments (SI ite, CSA CAI , etc.), Compliance Certs

END R SIN SER I ES

On-Demand Agents Act as Your Personal
Questionnaire Collections Agency, at No Extra Cost
• Assessments as a Service, uestionnaire Completion
• Industry-Standard Templates, Faster Vendor Responses
• Multilingual Team, Available 24/7, Expert Assessment Support

ERED NE R S D ID N E
In-Depth Third-Party Risk & Regulatory Intelligence from 40 In-House Researchers and a Network of 500 Global Lawyers
OneTrust DataGuidance™ intelligence powers Vendorpedia, embedding valuable research directly into the platform to help your
organization implement third-party frameworks, standards, and controls to comply with the laws that matter most. DataGuidance
intelligence is aggregated from authoritative sources, updated on a daily basis, and continually reviewed to alert your team when critical
regulatory changes arise.

NIST COMPLIANCE CHECKLIST | 10

Mitigate Risks and Monitor
Supply hain erformance
Identify Mitigate Risks Automate vendor assessments, conduct financial due
diligence, monitor SLAs & performance, test controls, and streamline issues &
exception management

dd usiness onte t to Supplier Risks Link your vendors to the IT systems and
business processes they support to add context to risk, visualize lineage diagrams,
and keep your data map up to date
ASSESSMENTS
D E DI I EN E Manage ey ontract erms Scan and report on key contract terms, and manage
certificates, evidence, and vendor documentation in a single repository, as well as
integrate with contract management tools

ccess re opulated Research Access research on thousands of vendors with

service- and product-level granularity, including security certifications pre-completed
risk assessments, updated daily

Monitor Supplier Risks and erformance Get alerts on critical vendor security and
privacy changes, including 4th-party changes, incidents & breaches, all while using
automation to trigger reassessments

RIS et lerted hen Supplier reaches ccur Receive notifications about vendor
E N E breaches and regulatory enforcements, monitored by our in-house security and privacy
team and backed by OneTrust DataGuidance research

oad ssessment Related ork Leverage free risk assessment services performed
by the OneTrust team to chase vendors on your behalf, o oading work and enabling
faster questionnaire completion

Save Money Reallocate Resources Eliminate repetitive tasks, giving your team the
bandwidth to work on high-value projects, all of which is included with your license and
is available at no extra cost
END R SIN
utomate ustom uestionnaire ompletion Empower vendors to autocomplete
SERVICES any questionnaire, even custom ones, to speed up assessment response time for
vendors, free and available for any supplier to use

START A FREE TRIAL OR REQUEST A DEMO AT VENDORPEDIA.COM

ATLANTA | LONDON | BANGALORE | SAN FRANCISCO

MELBOURNE | NEW YORK | MUNICH | HONG KONG
OneTrust Vendorpedia is the largest and most widely used technology platform
to operationalize third party risk, security, and privacy management. More than
4,000 customers of all sizes use OneTrust , which is powered by 50 awarded
patents to offer the most depth and breadth of any third party risk, security,
and privacy solution in the market. To learn more, visit vendorpedia.com