Trusted Across Industries. Adaptable to Global Requirements. Flexible to Your Needs.
Support and Built-In Intelligence for 300+ Global Standards, Frameworks, and Laws
Third-Party Relationship Management for Banking, Finance and Insurance
Due Diligence & Monitoring for Banks and Financial Institutions
Financial institutions use OneTrust Vendorpedia to manage third-party relationships. Vendorpedia offers tailored finance functionality with solutions to perform third-party service provider analysis, implement risk-mitigation controls, assess business continuity plans, automate risk-based decision-making, streamline recordkeeping, and manage contracts with ease.
InfoSec & Third-Party Oversight for Insurance Providers
With OneTrust Vendorpedia, insurance providers have the technology needed to identify third-party service provider risks, as well as determine appropriate security measures, prevent cybersecurity incidents, manage information access, and maintain the confidentiality and privileged status of documentation when working with third-party service providers.
Supported Finance, Banking, and Insurance Third-Party Risk Standards, Frameworks, and Laws
|NY DFS 23 NYCRR 500||ISO 20038:2017|
|OCC Bulletin 2013-29||Federal Reserve Supervisory Letter SR 13-19|
|OCC Bulletin 2017-21||FDIC Outsourcing & Third-Party Providers Guidance|
|FCA FG 16/5||NAIC Insurance Data Security Model Law|
|EBA Guidelines||SOC 1, SOC 2, SOC 3|
|Directive 2014/65||Sarbanes-Oxley Act (SOX), PCAOB|
|Directive 2015/2366/EU||Directive on Security of Network and Information Systems (NIS Directive)|
|FFIEC BCP Booklet: Appendix J||Gramm-Leach-Bliley Act (GLBA)|
|FFIEC Information Security Booklet||General Data Protection Regulation (GDPR)|
|CFPB Compliance Bulletin and Policy Guidance; 2016-02||California Consumer Protection Act (CCPA)|
Protected Health Information Protection for Healthcare & Pharmaceuticals
Identifying and Implementing Appropriate PHI Safeguards
Using OneTrust Vendorpedia, healthcare providers can automate risk analysis, as well as put safeguards in place to prevent, detect, contain, and correct security violations relating to vendors, consultants, and other entities that may handle electronic protected health information (e-PHI).
Automate and Evaluate HIPAA Risk Assessment
Entities that create, receive, maintain, or transmit protected health information (PHI) must conduct HIPAA risk assessments on the vendors they use that interact with Personally Identifiable Information (PII). OneTrust Venorpedia offers automation to perform these assessments and maintain records for compliance.
Supported Healthcare Standards, Frameworks, and Laws for Third-Party Risk
|NHS Procurement & Commercial Standards||General Data Protection Regulation (GDPR)|
|NIST HIPAA Security Rule Toolkit||California Consumer Protection Act (CCPA)|
|Directive on Security of Network and Information Systems (NIS Directive)|
Third-Party Service Provider Security Assurance for Retail & Hospitality
Secure Supplier Relationships for Retail & Hospitality
Caluating and treating risks when acquiring goods and services from suppliers is a critical aspect of any infosec program in the retail and hospitality industry. Using OneTrust Vendorpedia, risk management teams can implement information security controls to manage the entire relationship lifecycle, streamlining supplier selection, evaluation, contracting, monitoring, and offboarding.
Automate Monitoring for Third-Party Service Providers
PCI DSS Compliance and documenting third-party service provider monitoring program is vital to PCI DSS compliance. OneTrust Vendorpedia offers numerous monitoring tools to track third-party service provider compliance, changes to the scope or nature of the supplier relationship, and ongoing oversight relating to risk, contracts, and responsibilities throughout the engagement.
Supported Retail & Hospitality Standards, Frameworks, and Laws
|PCI DSS||California Proposition 65|
|ISO 9000 Standards||General Data Protection Regulation (GDPR)|
|ISO 22000||California Consumer Protection Act (CCPA)|
Vendor Risk Management & Information Security for Technology Providers
Assess Cloud Vendor Security and Automate Risk Mitigation
Frameworks like the CSA CAIQ help organizations assess cloud vendor risks and identify existing controls, or the lack thereof. OneTrust Vendorpedia partners with CSA to provide templates for the CSA CAIQ and many other CSA questionnaires.
Protect Your Organization's Critical Information Systems
With OneTrust Vendorpedia, organizations can analyze supplier risks to determine if required security safeguards are in place, as well as manage 4th parties and subprocessors. Additionally, with Vendorpedia, organizations can minimize procurement time while automating vendor reviews and limiting risks.
Supported Technology Standards, Frameworks, and Laws
|ISO 27001:2013||Shared Assessment (SIG)|
|ISO 27002:2013||General Data Protection Regulation (GDPR)|
|ISO 27018:2019(E)||California Consumer Protection Act (CCPA)|
|ISO 27701:2019||Google VSAQ|
|ISO 9001||UK ICO Controller & Processor Contracts Checklist - 2.0.0|
|NIST SP 800-53R4||Directive on Security of Network and Information Systems (NIS Directive)|
|NIST CSF 1.1||Cloud Security Alliance (CSA) CAIQ, CCM|
Third-Party Risk Reduction & Recordkeeping for Law Firms & Legal Services
Meet the Cybersecurity and Privacy Obligations of Your Clients
Law firms often inherit the stringent cybersecurity requirements of their clients, such as financial institutions and other highly-regulated organizations. To maintain client trust and meet contractual obligations, law firms use OneTrust Vendorpedia to identify, mitigate, monitor, and maintain records of third-party risks.
Protect Privileged and Confidential Information
As law firms hold sensitive data, whether it be financials or privileged and confidential information, data protection is an undeniable priority within the legal industry. OneTrust Vendorpedia enables the development of an Information Security Management System (ISMS) that limits vendor risks.
Supported Legal Standards, Frameworks, and Laws
|General Agreement on Trade in Services||ISO 27001|
|Model Rules for Lawyer Disciplinary Enforcement||ISO 9001|
|NY DFS 23 NYCRR 500||General Data Protection Regulation (GDPR)|
|OCC Bulletin 2013-29||California Consumer Protection Act (CCPA)|
Supplier Risk Management for K-12 and Higher Education
Secure Education Records and PII
OneTrust Vendorpedia enables schools, districts, and universities to determine whether providers have security controls in place. Providers handling personally identifiable information (PII) of students should only request or collect the minimum PII needed. Managing providers, and maintaining documentation of provider access to PII, is a critical responsibility of educational institutions.
Prevent Unauthorized Data Disclosure to Service Providers
Schools and districts disclosing PII to providers are still responsible for its protection, under laws such as FERPA. As a best practice, organizations should perform audits and work with providers to develop clear policies and procedures for responding to data breaches. Educational institutions use OneTrust Vendorpedia to maintain the data security and confidentiality of PII when outsourcing tasks to service providers.
Supported Education Standards, Frameworks, and Laws
|Family Educational Rights and Privacy Act (FERPA)||Protection Act (SOPIPA)|
|Children’s Online Privacy Protection Rule (COPPA)||ISO 21001:2018|
|Higher Education Cloud Vendor Assessment Tool (HECVAT)||ISO 9001|
|The Children’s Internet Protection Act (CIPA)||General Data Protection Regulation (GDPR)|
|California’s Student Online Personal Information Protection Act (SOPIPA)||California Consumer Protection Act (CCPA)|
Supply Chain and Vendor Management for Manufacturing
Maintain Third-Party Compliance for Responsible Supply Chain Management
Manufacturers working with third parties have numerous compliance requirements around the world. With OneTrust Vendorpedia, manufacturers can manage third parties throughout the supply chain, reducing risks and maintaining documentation for global compliance.
Supply Chain Risk Assessment and Monitoring
Assessing supplier risks is a necessary component of third-party vetting and selection. With OneTrust Vendorpedia, build automation workflows to streamline supplier risk assessments. And as supplier risks change, with Vendorpedia, maintain oversight and monitor risks as they change over time, helping to prevent critical suppliers from becoming major liabilities.
Supported Industries, Standards, Frameworks, and Laws
|Office of Foreign Assets Control (OFAC) Sanctions List||Drug Supply Chain Security Act|
|Dodd-Frank Act (Conflict Minerals)||Title 21 CFR Part 11|
|OECD Due Diligence Guidance for Responsible Supply Chains||Foreign Corrupt Practices Act (FCPA)|
|UK Modern Slavery Act 2015||General Data Protection Regulation (GDPR)|
|Waste from Electrical and Electronic Equipment (WEE)||California Consumer Protection Act (CCPA)|