What does it mean to share Third-party Proof?
Sharing Third-party Proof of Compliance information a.k.a. Third-party Proof (3PP) means your organization is exchanging and maintaining documentation and data that verifies compliance with a set of defined Compliance Framework or Compliance Standard requirements as part of a B2B relationship. See What is Third-party Proof? for further definitions.
Generally, the reason for sharing 3PP (Third-party Proof) is to help maintain healthy, legal, and compliant B2B relationships over time. Therefore, almost all 3PP has to be kept up-to-date:
- On a recurring schedule, e.g., annual audits and quarterly reports
- In response to specific risks and events as they occur, e.g., incident response
In other words, it’s critical for compliance and security teams, processes, and systems to always have the latest 3PP for remediation. However, maintaining up-to-date 3PP is generally problematic because it’s most often being produced by manual processes, audits, and reporting.
ProofPort helps close the gap on automating the exchange of 3PP with the concepts of “publishing” 3PP for your B2B customers and the automated “collecting” of 3PP from your providers and vendors - all to make the remediation of critical changes in 3PP documents and data more timely and frequent. Here are a few useful dimensions of 3PP to consider when thinking about publishing and collecting 3PP:
7 useful ways to think about Third-party Proof (3PP)
1. 3PP CONTEXT
What compliance standards and frameworks are you meeting requirements for in your B2B relationships? What are the requirements and compliance standards and frameworks your B2B partners are trying to fulfill? Are they requesting 3PP from you or are you requesting it from them? What do all these questions mean for the way you should exchange and maintain 3PP with B2B partners/customers? Third-party Proof (3PP) has a context that needs to be recognized and addressed.
2. 3PP VALUE OF TIMING
It's helpful to think of the exchange and maintenance of 3PP as an on-going recurring publishing or collection process for B2B relationships. As in other examples and industries that have publishing flows/processes, the most valuable information is often the “breaking news” of real-time changes in the 3PP that needs to be remediated. At the other end of the spectrum, and often equally as valuable, is an immutable, neutral archive of the full history of all the 3PP exchanged within a given B2B relationship - useful for analysis, audits, and litigation. ProofPort fulfills both of these valuable capacities.
3. 3PP CUSTOMIZATION COMPLEXITY
Considering the complexity of 3PP is also key. At one end of the spectrum are complex one-to-one compliance information structures like surveys and audits for which there are many solutions, approaches, and industry groups. On the other end of the spectrum are simpler, non-customized, one-to-many proof of compliance and security documents that are equally as important, e.g., AOCs, Security Reports, Scan Results, Privacy Policies, Terms, Assessments, etc. These non-customized one-to-many forms of 3PP are produced as a standard document to be published once for many/all B2B customers until the 3PP needs to be updated and distributed again. Generally this one-to-many 3PP is required to be updated and exchanged on a recurring basis and represents an opportunity to improve efficiency and customer experience with a tool like ProofPort.
ProofPort’s focus on affordable automatic updates of one-to-many 3PP, whether publishing and collecting, is complementary to the tools you utilize for managing more complex and customized types of 3PP like surveys, SIGs, and audits. ProofPort can be thought of as providing a world-class evidence exchange for up-to-date, one-to-many, compliance data” - saving everyone and every system time and resources.
4. 3PP ACCESSIBILITY
You can also think of 3PP in terms of how freely available the exchange of 3PP should be. You may want to - or be required to - make some of your 3PP publically available. For the rest of your 3PP, you may want to more closely control access to with non-disclosure agreements and approve access on case-by-case basis. Often, access approval should be in the hands of your sales or support teams. ProofPort delivers simple, team-managed, access control to 3PP for your B2B relationships.
5. 3PP ORIGINS
You also need to think about the origin of 3PP. Some of your third-party proof is actually produced and controlled by other publicly available sources of authority like the PCI Council or the Privacy Shield List. However, most of your 3PP originates from your own organization. It’s actually very important to have a single clearinghouse for all the latest publicly-sourced and internally-produced 3PP that is foundational to your customers and partners in B2B relationships. ProofPort can be that clearinghouse and evidence exchange for your 3PP, delivering real-time notifications of changes in 3PP to your B2B customers and partners, and providing reminders and scheduling for your publishing of 3PP.
For example, an organization trying to maintain GDPR compliance with a processor may want to collect their SOC 2 report under NDA and also obtain real-time notifications of changes to their Privacy Shield list - this requires exchanging the latest publicly-sourced and internally-produced 3PP and maintaining a valid NDA. Similarly, if two organizations are exchanging quarterly security scans under NDA, they both want to know if the ASV (Approved Scanning Vendor) being utilized is no longer validated/listed on the PCI council’s list of ASVs, which would result in the scans no longer being admissible as PCI DSS evidence - again, this requires exchanging the latest publicly-sourced and internally-produced 3PP and maintaining a valid NDA. Both of these examples are easy to maintain with ProofPort
6. 3PP CONNECTIVITY
If you are publishing 3PP for your B2B customers as a SaaS provider, it is tempting to think that one-to-one file-sharing, workflows, surveying, or portals is an excellent way to distribute 3PP to B2B customers. In actuality, economics and customers demand freedom from the friction of having to utilize hundreds or even thousands of portals, workflows, and one-to-one systems for updates to 3PP. One-to-one doesn’t scale for your B2B customers needing to collect 3PP frequently. However, all parties involved in the publishing or collection of 3PP benefit when the distribution is frictionless and moved to a standardized clearinghouse of evidence exchange like ProofPort. ProofPort complements your risk and compliance management systems with a standardized, frictionless, and affordable many-to-many conduit of 3PP - a source of up-to-date data for your systems, processes, and teams. ProofPort passes the benefits of many-to-many efficiencies to all participating parties and platforms with free and affordable service that delivers quality data, performance, and advanced capabilities that can only be obtained at scale.
7. 3PP CONTROL
The best type of 3PP validates that a system of controls for compliance requirements has been maintained, i.e., control has been maintained. This eliminates the need for the more common and riskier approach of validating compliance with periodic audits, inspections, surveys, or snapshots, which only prove that a system of controls is presently in compliance. Best practice, whenever possible exchange 3PP that verifies that a system of compliance controls are being maintained.
These 7 useful ways to think about third-party proof within your B2B relationships demonstrate that sharing 3PP is an important set of activities for your Compliance, Sales, Support, Risk, Vendor, and Procurement teams to consider and manage well.
May your 3PP never be out of date again!