Welcome to our comprehensive glossary of Third-Party Risk Management (TPRM) terms. This resource is designed to help professionals navigate the complex terminology used in vendor risk management, cybersecurity, and compliance. Whether you're new to TPRM or looking to expand your knowledge, this glossary provides clear definitions of key concepts and industry jargon.
The sum of potential entry points that an attacker can use to gain unauthorized access to a system or network. In TPRM, the attack surface expands to include all third parties with access to systems or data.
The process of evaluating a third party's security controls, policies, and procedures to determine the level of risk they pose. Assessments can be conducted through questionnaires, documentation reviews, on-site visits, or technical testing.
Confirmation that a third party meets specified security, privacy, and compliance requirements. Assurance can be provided through certifications, audit reports, or independent assessments.
A formal declaration by a third party confirming compliance with specific security requirements or standards. Attestations are often used as evidence in TPRM programs.
The process of creating systems to prevent and recover from potential threats to a company. In TPRM, vendors are often required to demonstrate robust business continuity plans.
An assessment of the potential consequences of disruption to critical business operations. In TPRM, a BIA helps organizations understand the impact of third-party disruptions.
The obligation to inform affected parties, including customers and regulatory authorities, when a data breach occurs. Third-party contracts typically include breach notification requirements.
Minimum security standards or controls that third parties are expected to implement as part of the vendor relationship.
Ongoing surveillance of third-party security postures through automated tools, threat intelligence feeds, and periodic reassessments, rather than point-in-time evaluations.
The importance of a third party to an organization's operations. High-criticality vendors typically undergo more rigorous due diligence and oversight.
The process of aligning security controls across different frameworks or standards to streamline compliance efforts and avoid duplication.
The process of ensuring third parties adhere to relevant laws, regulations, and standards. This includes tracking regulatory changes and verifying vendor compliance.
A company that offers cloud-based platforms, infrastructure, or applications. CSPs are typically subject to rigorous TPRM due to their access to large volumes of data.
The investigation or exercise of care that a reasonable business or person is expected to take before entering into an agreement or contract with another party.
The process of categorizing data based on its sensitivity and the impact of unauthorized disclosure. Data classification informs third-party security requirements.
The process, policies, and procedures for recovering or continuing technology infrastructure after a natural or human-induced disaster. Vendors are typically required to have DR plans.
The practice of monitoring, detecting, and mitigating risks across digital channels, including risks introduced by third parties.
Any external organization or individual that provides services, products, or has a business relationship with an organization. This includes vendors, suppliers, contractors, business partners, and affiliates.
The process of identifying, assessing, and controlling risks presented throughout the lifecycle of relationships with third parties. TPRM encompasses financial, reputational, operational, legal, and cybersecurity risks.
A structured evaluation of the potential risks posed by a third party, typically conducted before engagement and periodically throughout the relationship.
The categorization of third parties based on their risk level, criticality, or data access. Higher-tier vendors usually undergo more rigorous due diligence and monitoring.
A subset of TPRM focused specifically on vendors who provide products or services, rather than other types of third-party relationships.
The process of categorizing vendors based on their criticality to operations, the sensitivity of data they access, or other risk factors.
A systematic review of security weaknesses in systems, applications, or networks. Third parties may be required to conduct regular vulnerability assessments.
The process of terminating a vendor relationship, including revoking access rights, retrieving data or equipment, and ensuring contractual obligations are fulfilled.
Download our comprehensive TPRM guide to implement best practices in your organization
Download TPRM Guide