What is it? 

Third Party Risk Management (TPRM) is the process of identifying, evaluating, and mitigating the potential risks associated with third-party vendors who have access to or host an agency's sensitive data. TPRM focuses on due diligence activities which provides reasonable assurance that ND citizen data is safeguarded.  

The TPRM process requires third-parties to: 

  1. Provide documentation of an industry-accepted security control certification, or 

  1. Complete a Third-Party Security Questionnaire (TPSQ) on their security controls and program surrounding the confidentiality, integrity, and availability of State data. 

The goal of TPRM is to: 

  • Understand security concerns when selecting a vendor. 

  • Safeguard data to foster an environment of citizen trust. 

  • Mitigate undue risks and costs associated with third-party breaches. 

  • Compliance with legal, privacy, policies and standards requirements. 

  • Ensure Business Continuity by verifying that third-party vendors have effective contingency plans. 

  • Partner with vendors as cybersecurity is a shared responsibility. 

As of July 1, 2023, a TPRM assessment will be required for all new State Agency vendors.  Existing vendors will be assessed when contracts are renewed. 

What do you get with the Service? 

NDIT onboards vendors, scores responses to questionnaires, tracks findings, provides continuous monitoring of critical vendors, and reassesses vendors based on their risk. 

Initial assessment-vendor assessment- report-monitor-offboarding

  1. Initial Assessment- NDIT will obtain initial information about the vendor and determine if the data they transmit, store and/or access is (based on NDIT’s data classification tiers): 

    • High risk 

    • Moderate risk 

    • Low risk 

  1. Vendor Assessment-NDIT will evaluate the level of assessment required based on the data classification analysis performed in Step 1.  A Third-Party Security Questionnaire (TPSQ) is sent to vendors with high and moderate security scores.  

    • High risk – A full TPSQ is sent to the vendor

    • Moderate risk - An abbreviated TPSQ is sent to the vendor 

    • Low risk – No assessment is sent to the vendor 

  1. Report- Identified findings (potential risk) are discussed with the agency, Information Security Officer, Architect, Customer Success Manager, Risk Analyst, and Procurement Officer.  Parties discuss risk response options that may involve the vendor if remediation of a finding is required.   

  1. Continuous Monitoring- NDIT will continuously monitor vendors:  

    • High risk: re-assess annually  

    • Moderate risk: re-assess every 2 years  

    • Low risk: re-assess every 3 years 

How to request service? 

The Third-Party Risk Management (TPRM) is embedded into the IT Architectural & Security Review process. The architect team at NDIT will work with the Governance, Risk & Compliance team to conduct a third-party assessment of the vendor.  

Service Level Agreement 

NDIT strives to complete the third-party risk assessment two weeks after request has been submitted: 

  • Vendor typically has one week to complete assessment, and
  • NDIT and Agency will review findings within a week after the vendor has completed the assessment.

* Note: the timeline of completing the assessment could span beyond two weeks if the results of the assessment yield critical findings that require a risk response and potential remediation.

If you have any questions on requesting third-party risk services from NDIT, submit a NDIT Self-Service Portal Incident and ask to route the ticket to Security GRC.