Our compliance team is working with our legal and IT counterparts to increase its influence in the request for...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
proposals (RFP) process with third-party vendors. Are there any key compliance issues that should be considered during the RFP process that are often overlooked?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Incorporating compliance reviews into your RFP and contracting processes is an essential component of compliance programs, especially in organizations that engage heavily in outsourcing business processes.
I've found that the best way to do this is to provide procurement personnel with a checklist that they can use to help determine when IT compliance involvement is necessary. For example, they might run through the following questions when preparing to issue an RFP:
- Will this contract involve the storage, processing or transmission of Social Security numbers or other sensitive information that may trigger breach notification laws?
- Will this contract involve credit card transactions that may be subject to PCI DSS?
- Will this contract affect electronic protected health information that is covered by HIPAA?
- Does this contract involve financially significant systems regulated by the Sarbanes-Oxley Act?
The specific questions you include on your checklist will vary depending upon your specific regulatory environment. They shouldn't seek to solve every compliance issue, but rather to serve as a set of guidelines for identifying RFPs where compliance must be discussed in further detail.
It's also helpful to have boilerplate language that you can use to impose compliance burdens on vendors. While you'll often find yourself negotiating the language of specific agreements, it's a good idea to propose your own acceptable language as a starting point and let the vendor propose changes, rather than trying to convert their preferred language into something acceptable to your organization.
Dig Deeper on Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.