Trusted Across Industries. Adaptable to Global Requirements. Flexible to Your Needs.

Support and Built-In Intelligence for 300+ Global Standards, Frameworks, and Laws

Third-Party Relationship Management for Banking, Finance and Insurance

Due Diligence & Monitoring for Banks and Financial Institutions

Financial institutions use OneTrust Vendorpedia to manage third-party relationships. Vendorpedia offers tailored finance functionality with solutions to perform third-party service provider analysis, implement risk-mitigation controls, assess business continuity plans, automate risk-based decision-making, streamline recordkeeping, and manage contracts with ease.

InfoSec & Third-Party Oversight for Insurance Providers

With OneTrust Vendorpedia, insurance providers have the technology needed to identify third-party service provider risks, as well as determine appropriate security measures, prevent cybersecurity incidents, manage information access, and maintain the confidentiality and privileged status of documentation when working with third-party service providers.


Supported Finance, Banking, and Insurance Third-Party Risk Standards, Frameworks, and Laws

NY DFS 23 NYCRR 500   ISO 20038:2017
OCC Bulletin 2013-29   Federal Reserve Supervisory Letter SR 13-19
OCC Bulletin 2017-21   FDIC Outsourcing & Third-Party Providers Guidance
FCA FG 16/5   NAIC Insurance Data Security Model Law
EBA Guidelines   SOC 1, SOC 2, SOC 3
Directive 2014/65   Sarbanes-Oxley Act (SOX), PCAOB
Directive 2015/2366/EU   Directive on Security of Network and Information Systems (NIS Directive)
FFIEC BCP Booklet: Appendix J   Gramm-Leach-Bliley Act (GLBA)
FFIEC Information Security Booklet   General Data Protection Regulation (GDPR)
CFPB Compliance Bulletin and Policy Guidance; 2016-02   California Consumer Protection Act (CCPA)

Protected Health Information Protection for Healthcare & Pharmaceuticals

Identifying and Implementing Appropriate PHI Safeguards

Using OneTrust Vendorpedia, healthcare providers can automate risk analysis, as well as put safeguards in place to prevent, detect, contain, and correct security violations relating to vendors, consultants, and other entities that may handle electronic protected health information (e-PHI).

Automate and Evaluate HIPAA Risk Assessment

Entities that create, receive, maintain, or transmit protected health information (PHI) must conduct HIPAA risk assessments on the vendors they use that interact with Personally Identifiable Information (PII). OneTrust Venorpedia offers automation to perform these assessments and maintain records for compliance.


Supported Healthcare Standards, Frameworks, and Laws for Third-Party Risk

HIPAA   ISO 9001
HITECH   ISO 13485
NHS Procurement & Commercial Standards   General Data Protection Regulation (GDPR)
NIST HIPAA Security Rule Toolkit   California Consumer Protection Act (CCPA)
Directive on Security of Network and Information Systems (NIS Directive)  

Third-Party Service Provider Security Assurance for Retail & Hospitality

Secure Supplier Relationships for Retail & Hospitality

Caluating and treating risks when acquiring goods and services from suppliers is a critical aspect of any infosec program in the retail and hospitality industry. Using OneTrust Vendorpedia, risk management teams can implement information security controls to manage the entire relationship lifecycle, streamlining supplier selection, evaluation, contracting, monitoring, and offboarding.

Automate Monitoring for Third-Party Service Providers

PCI DSS Compliance and documenting third-party service provider monitoring program is vital to PCI DSS compliance. OneTrust Vendorpedia offers numerous monitoring tools to track third-party service provider compliance, changes to the scope or nature of the supplier relationship, and ongoing oversight relating to risk, contracts, and responsibilities throughout the engagement.


Supported Retail & Hospitality Standards, Frameworks, and Laws

PCI DSS   California Proposition 65
ISO 9000 Standards   General Data Protection Regulation (GDPR)
ISO 22000   California Consumer Protection Act (CCPA)
ISO 14001:2015  

Vendor Risk Management & Information Security for Technology Providers

Assess Cloud Vendor Security and Automate Risk Mitigation

Frameworks like the CSA CAIQ help organizations assess cloud vendor risks and identify existing controls, or the lack thereof. OneTrust Vendorpedia partners with CSA to provide templates for the CSA CAIQ and many other CSA questionnaires.

Protect Your Organization's Critical Information Systems

With OneTrust Vendorpedia, organizations can analyze supplier risks to determine if required security safeguards are in place, as well as manage 4th parties and subprocessors. Additionally, with Vendorpedia, organizations can minimize procurement time while automating vendor reviews and limiting risks.

Supported Technology Standards, Frameworks, and Laws

ISO 27001:2013   Shared Assessment (SIG)
ISO 27002:2013   General Data Protection Regulation (GDPR)
ISO 27018:2019(E)   California Consumer Protection Act (CCPA)
ISO 27701:2019   Google VSAQ
ISO 9001   UK ICO Controller & Processor Contracts Checklist - 2.0.0
NIST SP 800-53R4   Directive on Security of Network and Information Systems (NIS Directive) 
NIST CSF 1.1   Cloud Security Alliance (CSA) CAIQ, CCM

Supported Legal Standards, Frameworks, and Laws

General Agreement on Trade in Services   ISO 27001
Model Rules for Lawyer Disciplinary Enforcement   ISO 9001
NY DFS 23 NYCRR 500   General Data Protection Regulation (GDPR)
OCC Bulletin 2013-29   California Consumer Protection Act (CCPA)

Supplier Risk Management for K-12 and Higher Education

Secure Education Records and PII

OneTrust Vendorpedia enables schools, districts, and universities to determine whether providers have security controls in place. Providers handling personally identifiable information (PII) of students should only request or collect the minimum PII needed. Managing providers, and maintaining documentation of provider access to PII, is a critical responsibility of educational institutions.

Prevent Unauthorized Data Disclosure to Service Providers

Schools and districts disclosing PII to providers are still responsible for its protection, under laws such as FERPA. As a best practice, organizations should perform audits and work with providers to develop clear policies and procedures for responding to data breaches. Educational institutions use OneTrust Vendorpedia to maintain the data security and confidentiality of PII when outsourcing tasks to service providers.


Supported Education Standards, Frameworks, and Laws

Family Educational Rights and Privacy Act (FERPA)   Protection Act (SOPIPA)
Children’s Online Privacy Protection Rule (COPPA)   ISO 21001:2018
Higher Education Cloud Vendor Assessment Tool (HECVAT)   ISO 9001
The Children’s Internet Protection Act (CIPA)   General Data Protection Regulation (GDPR)
California’s Student Online Personal Information Protection Act (SOPIPA)   California Consumer Protection Act (CCPA)

Supply Chain and Vendor Management for Manufacturing

Maintain Third-Party Compliance for Responsible Supply Chain Management

Manufacturers working with third parties have numerous compliance requirements around the world. With OneTrust Vendorpedia, manufacturers can manage third parties throughout the supply chain, reducing risks and maintaining documentation for global compliance.

Supply Chain Risk Assessment and Monitoring

Assessing supplier risks is a necessary component of third-party vetting and selection. With OneTrust Vendorpedia, build automation workflows to streamline supplier risk assessments. And as supplier risks change, with Vendorpedia, maintain oversight and monitor risks as they change over time, helping to prevent critical suppliers from becoming major liabilities.


Supported Industries, Standards, Frameworks, and Laws

Office of Foreign Assets Control (OFAC) Sanctions List   Drug Supply Chain Security Act
Dodd-Frank Act (Conflict Minerals)   Title 21 CFR Part 11
OECD Due Diligence Guidance for Responsible Supply Chains   Foreign Corrupt Practices Act (FCPA)
UK Modern Slavery Act 2015   General Data Protection Regulation (GDPR)
Waste from Electrical and Electronic Equipment (WEE)   California Consumer Protection Act (CCPA)
Directive 2015/2366/EU  
Onetrust All Rights Reserved