Percona Restructures Their Third-Party Risk Management Program with OneTrust Vendorpedia™
Percona Restructures Their Third-Party Risk Management Program with OneTrust Vendorpedia™Download PDF
Percona Restructures Their Third-Party Risk Management Program with OneTrust Vendorpedia™
Percona is a leader in providing best-of-breed enterprise-grade support, consulting, managed services, training, and software for MySQL®, MariaDB®, MongoDB®, PostgreSQL and other open source databases in on-premises and cloud environments. An unbiased, trusted partner, Percona provides single-source expertise in multivendor environments that eliminates lock-in, increases agility and enables business growth. Percona’s globally available support and consulting experts work with over 3,000 clients in more than 50 countries worldwide, including many of the world’s largest enterprises.
In 2018, third-party security and privacy risk management became a key corporate initiative for Percona and it still is today given the shifting regulatory environment. As we continue to pursue enterprise customers, we recognize the need for a flexible and automated platform to help us manage compliance operations and support security audits. That’s where OneTrust comes in.
In supporting a global customer base across sectors and regulatory frameworks, Percona is responsible for supporting production scope data for its customers, including personal data and sensitive information like medical and financial records. Because of this, it’s important that Percona implements proper third-party, security, and privacy controls internally, as well as holds third parties and their affiliate networks to the same standards.
Revamping Operations to Support Global Third-Party Compliance
When the EU General Data Protection Regulation (GDPR) was being finalized, Percona recognized gaps across their third-party security and privacy program, specifically as it relates to Article 32 and subprocessor requirements. “One of the driving forces behind the revamping of our third-party risk management program was GDPR subprocessor requirements,” said Futas. “We needed to implement changes with our vendor management that would comply with the GDPR and align with ISO standards.”
Addressing these gaps was a daunting task, so Percona sought out a consulting firm to support the restructuring of their existing program. The consulting firm helped produce policies and procedures that closed the gap, but Percona still wanted automated processes to help alleviate the burden of risk management. Policies and procedures are a great start, but Percona determined automating parts of its security and privacy program would align best with customer expectations.
To execute its vision of a revamped third-party risk management process, Percona tapped OneTrust to streamline and automate GDPR requirements, including creating a record of processing activities and data mapping for Article 30 and 32 requirements. Shortly after partnering with OneTrust for PIA/DPIA Automation, Data Mapping Automation, and Data Subject Rights Management, Percona sought out additional OneTrust modules, including Incident and Breach Management and VendorpediaTM third-party risk management software.
The Percona compliance team initially faced difficulties when researching third-parties, completing SIG and SIG Lite assessments on time, and determining when new risks emerge. The third-party risk management process was monotonous and Percona had limited resources, especially with increased use of cloud service providers. This changed significantly when Percona implemented OneTrust Vendorpedia.
Our initial vendor questionnaire process was via excel and was not an efficient use of my team’s efforts. Since implementing Vendorpedia, we have a single repository for our vendor data and can automate the entire third-party risk management process, from flagging and mitigating risks, accessing pre-populated research, attaching contracts and supporting documents to our vendors, and automating questionnaire completion.
Today, Percona has developed a robust third-party risk management program that can not only help the company demonstrate compliance, but also analyze, measure and report on vendor risks at scale. Combined, this helps the business power its mission to provide best-of-breed, enterprise-grade support, consulting, managed services, training, and software.
Building on Third-Party Risk Management Beyond the GDPR
Percona’s next hurdle is pursuing the ISO 27001 certification while also implementing new controls necessary to comply with additional regulations like the CCPA, HIPAA and more.
As the company continues to account for new regulations, they’ve started integrating their existing technology platforms within OneTrust to continue expanding on their compliance. To date, Percona has integrated its marketing, CRM, and customer portals with OneTrust.
I can safely say that OneTrust has been a gamechanger for our business. We look forward to a continued partnership and seeing how the OneTrust Vendorpedia product evolves to meet even more needs in the third-party risk management and compliance space.
Today, outsourcing operations to third parties is no longer the exception – it’s the expectation. However, trust between you and your third parties is difficult to establish, and perhaps even harder to maintain. With ransomware on the rise and supply chain resilience at the forefront, businesses must work closely with their third parties to understand if they have adequate safeguards and policies in place to defend against disruptions.
Conversely, nearly every modern organization is a “third party” to another business, whether as a software vendor or service provider. As a result, businesses must routinely demonstrate to customers that they are a trusted organization. Failure to do so can hurt a company’s bottom line.
There are challenges to every business relationship, from both the buyer and the seller. So, how can we work together to establish mutual trust? In this panel webinar, you’ll hear from professionals on both sides of the equation as they discuss long-term strategies and short-term tactics to work better together. Panelists will answer the following questions:
- How can businesses and vendors work together to streamline risk assessments?
- What can buyers do to make life easier for sellers and vice versa?
- Where are opportunities for automation that can save time for both sides?
- How can we enable each other to build a stronger business relationship and reduce risk?
Over the past several months, OneTrust has released major enhancements to our Trust Suite for Vendors. This Suite is a collection of products and functionalities that help companies like yours manage and automatically respond to security and privacy questionnaires as well as other requests for compliance information.
As part of these significant enhancements, we wanted to bring together a select group of individuals to talk through the latest updates, explain the value they provide, and outline how this new functionality will work in practice. During the discussion, we will also share a number of exciting capabilities slated to be released this quarter – and in 2022.
Join this exclusive VIP roadmap event to see the immediate and long-term vision for:
- Questionnaire Response Automation – for organizing questionnaire requests and streamlining response workflows
- AI Autocomplete – for automatically answering questionnaires with saved answers
- Trust Profile – for centralizing security documentation and securely sharing it with your customer base
- Vendorpedia Exchange Community – for promoting your security program to thousands of OneTrust customers
As third parties gain more access to sensitive client data, organizations need to prioritize holistic information gathering and the instillment of security practices across the vendor ecosystem. The best way for an organization to achieve a holistic understanding of its vendor ecosystem is to gather information from its vendors and organize it in one central location. As a vendor, this means you will receive (and likely already have) dozens of security questionnaires. So, how should you approach them?
Questionnaires streamline the process of data gathering and allow customers to make sure that the various parts of their vendor ecosystem comply with industry-relevant regulatory frameworks. Dive into our eBook to learn how to streamline your answering process to save time and money. In the guide, you will learn:
- What a security questionnaire answering process look like
- How to automate responses
- Best practices for answering a security questionnaire
- Why organizations send security questionnaires to vendors?
- Understanding how you will be evaluated
- Common security questionnaire obstacles
How vulnerable are your third parties are when it comes to the most common and emerging cybersecurity threats? Do you know if those third parties have the right cybersecurity controls in place? Do you know how to identify which third parties put your organizations at risk – and how to mitigate those risks before they impact your bottom line?
InfoSec teams are facing larger and more sophisticated cybersecurity threats than ever before. In the last year, there has been a 62% global attack spike (158% increase in North American attacks alone) in ransomware, and an increased focus on attacks by regulatory bodies. Teams not only have to track vulnerabilities within their internal security posture but also ensure that their prospective third parties are vetted before engaging in business. In addition, these threats are leading to new regulatory requirements as well as critical changes to common industry standards and frameworks.
In this webinar panel, you’ll learn the following from our Head of CISO Center of Excellence (CoE), Justin Henkel, and our Director of InfoSec, Chris Burgess.
- The most common and emerging cybersecurity threats against your third parties
- The metrics to track in relation to third parties and their cybersecurity risks
- How to protect your business from cybersecurity threats associated with your vendors
- How to future-proof your TPRM program to defend against future cybersecurity threats