Third Party Risk Evaluation

One of the top priorities for many businesses is third party vendor risk management, which is completely understandable.

So, what are the critical elements we need to consider from a third-party risk perspective? Classification and compliance would be considered front of the queue.

eSign Third Party Risk

E-Sign Places A Significant Emphasis On:

  • Investing resources to enhance our threat intelligence and cybersecurity capabilities.
  • Establishing a specialised compliance team so that our enterprise information security program surpasses national and international security standards and adheres to industry best practices.
  • Providing dedicated subject matter experts to support employees across all information security domains.
Our programme undergoes annual independent audits to ensure compliance with industry standards certifications, ensuring that it not only meets, but exceeds the most stringent security requirements.

How Third-Party Risk Evaluates eSignatures

Understandably, one of the top priorities for many businesses is third-party vendor risk management. So, what critical elements do we need to consider from a third-party risk perspective? Classification and compliance would be considered at the front of the queue.

E-Sign and other electronic signature providers are considered tier 1 suppliers and with this comes increased scrutiny and security assessment requirements.

E-Sign provides a world-class security and compliance programme, including being ISO 27001, Cyber Essentials Plus, and SOC compliant. As a business or individual, you can feel confident that any potential risks are being addressed by the E-Sign security and compliance team. Compliance is a top priority for our dedicated team. We continually demonstrate how our policies and procedures meet or exceed industry standards. This is achieved by industry best practices, annual independent third-party audits of E-Signs controls, certifications from accreditation bodies including UKAS ISO27001, ITHC and attestations of compliance.

Let’s look at the issues most important to you when assessing security and compliance risks and how we address them. The topics to evaluate for potential risk are listed below, each focusing on a different area of security, privacy and legal compliance:

Third Party Risk Evaluates eSignatures

1. Information Classification

Information classification is a process in which organisations or individuals assess the data that they hold and the level of protection it should be assigned.

Why is this important?

Information classification helps to ensure that individuals involved inside an organisation have the knowledge and are aware of the type of data they are working with and its value, as well as their obligations and responsibilities in protecting it and preventing data breach or loss. It’s important for E-Sign customers to know how the data is flowing through the system and that its access is protected, so that only the sender and the recipients can view the envelopes, with an audit trail tracking in place for the whole process.

The E-Sign system contains

  • Confidential (only senior management has access)
  • Restricted (most employees have access)
  • Internal (all employees have access)
  • Public information (everyone has access)

The safety of customer data is ensured by restricting employee access to the E-Sign production environment. Employees with this access undergo additional information security training and checks.

Third Party Risk Information Classification

2. Information Storage and Encryption (in transit and at rest)

There are two types of data encryption: at rest and in transit. ‘Data at rest’ refers to data being housed physically on computer data storage, in any digital form. On the other hand, data ‘in transit’ is moving between devices or two network points.

Why is this important?

Data encryption, which prevents data visibility in the event of its unauthorised access or theft, is commonly used to protect data in motion and is increasingly promoted for protecting data at rest.

E-Sign’s security protocol includes the following:

  • 256-bit encryption
  • Security protocols for SSL certificates, logging into servers and tunnelling
  • Data/documents encryption
  • Data disposal and reuse policy
  • Processes for equipment management and secure media disposal
Third Party Risk Information Storage Encryption

3. Data Privacy

Data privacy is typically associated with the following elements.

  • Legal framework. The core component of the legislation itself applied to data issues, such as data privacy laws.
  • Data protection policy. A statement that sets out how your organisation protects personal data. It is a set of principles, rules and guidelines that informs how you will ensure ongoing compliance with data protection laws.
  • Best practices are put in place to guide IT infrastructure, data privacy and protection.
  • Third-party organisation. Any entity outside of your company that provides services or products to your organisation or acts on behalf of your business.
  • Data governance. Setting internal standards and data policies which apply to how data is gathered, stored, processed, and disposed of. It governs who can access what kinds of data and what kinds of data are under governance.
  • Global requirements. Global legislation to secure the protection of data and privacy.
Third Party Risk Data Privacy

Why is Data Privacy Important?

Keeping customers’ private data and sensitive information safe is essential. it can create a dangerous situation If financial data, healthcare information, and other personal consumer or user data are exposed to the wrong people. Access control is paramount regarding personal information. Individuals can be at risk of fraud and identity theft if controls are not put in place.

E-Sign is compliant with the General Data Protection Regulation (GDPR), the most important data protection regulation in over 20 years, which is important when transferring data between countries, especially in and out of the European Union.

Cybersecurity is an ever-growing concern, as an increasingly large portion of our lives and activities occur online.

How does E-Sign comply?

E-Sign has data management and privacy practices in place around the following:

  • Privacy notices
  • Data subject rights
  • Data deletion and retention
  • Data access
  • GDPR and other privacy regulations
  • Data residency
  • Sub-processors
  • Training and Awareness
  • Governance and accountability
Third Party Risk Data Privacy

4. Access Controls

Users can be verified by various login credentials, which determine the access control identifier. They can include security tokens, PINs, usernames and passwords and biometric scans. Multi Factor authentication (MFA)is also a common feature in access control systems.

Access control is the process of:

  • Granting a person only the key to the computer, file, or software that they need access to and nothing more
  • Identifying a person for doing a specific job
  • Looking at their identification to authenticate them
Third Party Risk Access Controls

Why are Access Controls Important?

Access controls limit access to information and information processing systems, so that people have enough information to carry out their job, but nothing more and there are processes in place such as access control registers, to remove that access when the employee changes jobs or leaves the company. It’s also crucial that envelopes can only be accessed by authorised parties.

When implemented effectively, access controls mitigate the risk of information being accessed without the appropriate authorisation, unlawfully and the risk of a data breach.

E-Sign addresses access control requirements with the following: 

  • User permissions and groups
  • Centralised provisions for controlling access via multi-factor authentication
  • Password policy
  • Compliance visibility: Who has access to what
  • A network management system, complete with anti-virus software and malware detectors
  • A key management and encryption programme
  • Automatic processes for detecting potentially harmful code
Third Party Risk Access Controls Important

5. Sustainability

Sustainability is important to companies and individuals worldwide, it’s all about carbon footprint, reducing energy consumption and the impact the company is having on the environment. Companies need to have sustainable processes and also produce products that contribute to a more sustainable society.

Why is this important?

A business that fails to make sustainable development one of its top priorities, may potentially receive bad PR, public criticism and market legitimacy. Businesses with solid sustainability policies are likely to attract younger talent, win more tenders (which increasingly ask for proof of ESG credentials) and win more awards and certifications

E-Sign’s approach to sustainability

  • Takes a precautionary approach to protecting the environment
  • Consumes minimum resources and energy across the supply chain
  • Fosters environmental responsibility with programmes that help replenish the ecosystems such as reducing paper, buying sustainable products
  • Creates long-lasting software that meets the needs of users, whilst reducing negative environmental and economic impacts
  • Creates jobs and economic growth by investing in recruitment and new technologies
  • Contributes to innovation in environmentally friendly technologies such as clean energy
Third Party Risk Sustainability

6. Ethical Behaviour

“Legal” and “ethical” aren’t necessarily the same thing. Business ethics outlines acceptable behaviours beyond government control.

Ethical behaviours include forced labour and human trafficking, fair pay and more. While the U.K. has the Modern Slavery Act, it’s important from a third-party risk perspective to ensure this is extended to everybody in the supply chain.

third Party Risk Ethical Behaviour

Why are Ethical Behaviours Important?

Ethical behaviours are key to a business’s reputation, consumers are more likely to buy goods or services from you if you act responsibly. There are also legal implications to consider in many industries and ensuring you comply with regulations set by the government is mandatory. Acting ethically reduces the risk of committing fraud, engaging in bribery and corruption.

How E-Sign conforms:

  • Company policies and procedures in place for all staff
  • Regular staff training
  • Third-party vendors assessments
Third Party Risk Ethical Behaviour Important

7. Business Continuity and Disaster Recovery

Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organisation’s ability to stay operational during or after a disaster. From natural disasters to cyber-attacks, organisations must remain resilient to these types of threats.

Why is this important?

In the event of an adverse event, organisations need to continue business operations with little or no disruptions and minimise any potential risks.

What does E-Sign have in place?

  • Regularly reviewed policies and procedures
  • Business continuity and disaster recovery plans
  • Regular testing of the plan
  • Geo-dispersed data centers with built-in redundancy measures
  • Elimination of single points of failure
  • Near real-time secure data replication
Third Party Risk Business Continuity Disaster Recovery

8. Vendor Risk Management

To assess, monitor and manage risk exposure from third-party suppliers (TPSs) providing IT products and services.

E-Sign’s risk management process includes

  • Vendors are required to follow the same protocols that the company has internally
  • Identify risk types
  • Regular audits/assessments are done to ensure sub processors are conforming to internal protocols
  • Using a risk appetite statement
  • Reporting on important vendor-related metrics
Third Party Risk Vendor Risk Management

Conclusion

Compliance is a top priority for E-Sign. We continually demonstrate how our policies and procedures meet or exceed industry standards. This is achieved by industry best practices, annual independent third-party audits of E-Signs controls, certifications from accreditation bodies including UKASISO27001, ITHC and attestations of compliance.

Try eSign FREE for 14 Days

Try the UK's leading electronic signature online document signing service free, no credit card required
Try Us Free
Free Electronic Signature Trial

Accreditations & Awards

Crown Commerical Provider
Cyber Essentials Plus
ISO 9001 Quality Management
ISO 27001 Information Security Management
Information Commissioner's Office
2023 SME Committed Badge
digital-trasnformation-UK-winner
esign gdpr logo

Reviews & Security

Capterra User Reviews
G2 Crowd Reviews
Trustpilot Logo
Secure Trusted Commerce
Rapid SSL Logo
Select Language