What does it mean to share Third-party Proof?
Sharing Third-party Proof of Compliance information a.k.a. Third-party Proof (3PP) means your organization is exchanging and maintaining documentation and data that verifies compliance with a set of defined Compliance Framework or Compliance Standard requirements as part of a B2B relationship. See What is Third-party Proof? for further definitions.
Generally, the reason for sharing 3PP (Third-party Proof) is to help maintain healthy, legal, and compliant B2B relationships over time. Therefore, almost all 3PP has to be kept up-to-date:
- On a recurring schedule, e.g., annual audits and quarterly reports
- In response to specific risks and events as they occur, e.g., incident response
In other words, it’s critical for compliance and security teams, processes, and systems to always have the latest 3PP for remediation. However, maintaining up-to-date 3PP is generally problematic because it’s most often being produced by manual processes, audits, and reporting.
ProofPort helps close the gap on automating the exchange of 3PP with the concepts of “publishing” 3PP for your B2B customers and the automated “collecting” of 3PP from your providers and vendors - all to make the remediation of critical changes in 3PP documents and data more timely and frequent. Here are a few useful dimensions of 3PP to consider when thinking about publishing and collecting 3PP:
7 useful ways to think about Third-party Proof (3PP)
1. 3PP CONTEXT
What compliance standards and frameworks, e.g. PCI DSS, GDPR, HIPAA, FedRAMP, ISO 27001, SSAE 18, are you meeting requirements for in your B2B service provider relationships? What are the requirements and compliance standards and frameworks your B2B partners are trying to fulfill? Are they requesting 3PP from you or are you requesting it from them? What do all these questions mean for the way you should exchange and maintain 3PP with B2B partners/customers? Third-party Proof (3PP) has a context that needs to be recognized and addressed.
2. 3PP VALUE OF TIMING
It's helpful to think of the exchange and maintenance of 3PP as an on-going recurring publishing or collection process for B2B relationships. The most valuable information is “breaking news” of real-time changes in the 3PP that needs to be remediated. And, at the other end of the spectrum, equally valuable, is an immutable neutral archive of the full history of all the 3PP exchanged within a given B2B relationship. ProofPort fulfills both of these valuable capacities.
3. 3PP CUSTOMIZATION COMPLEXITY
ProofPort’s focus on affordable automatic updates of one-to-many 3PP, whether publishing and collecting, is complementary to the tools you utilize for managing more complex and customized types of 3PP like surveys, SIGs, and audits. ProofPort can be thought of as providing a world-class evidence exchange for up-to-date, one-to-many, compliance data” - saving everyone and every system time and resources.
4. 3PP ACCESSIBILITY
You can also think of 3PP in terms of how freely available the exchange of 3PP should be. Controlling access to Proof of Compliance is important and different organizations have different philosophies and requirements. Deciding and controlling 3PP as published Publicly, or By-request, or By-agreement, with traceability and supporting processes is key. Often, access approval should be in the hands of your sales or support teams. ProofPort delivers simple, team-managed, access control to 3PP for your B2B relationships.
5. 3PP ORIGINS
You also need to think about the origin of 3PP. Some of your third-party proof is actually produced and controlled by other publicly available sources of authority like the PCI Council or the Privacy Shield List. However, most of your 3PP originates from your own organization. It’s actually very important to have a single clearinghouse for all the latest publicly-sourced and internally-produced 3PP that is requisite to B2B customer and partner relationships. ProofPort can be that clearinghouse and evidence exchange for your 3PP, delivering real-time notifications of changes in 3PP to your B2B customers and partners, and providing reminders and scheduling for your publishing of 3PP.
For example, an organization trying to maintain GDPR compliance with a processor may want to collect their SOC 2 report under NDA and also obtain real-time notifications of changes to their Privacy Shield list - this requires exchanging the latest publicly-sourced and internally-produced 3PP and maintaining a valid NDA. Similarly, if two organizations are exchanging quarterly security scans under NDA, they both want to know if the ASV (Approved Scanning Vendor) being utilized is no longer validated/listed on the PCI council’s list of ASVs, which would result in the scans no longer being admissible as PCI DSS evidence - again, this requires exchanging the latest publicly-sourced and internally-produced 3PP and maintaining a valid NDA. Both of these examples are easy to maintain with ProofPort.
6. 3PP CONNECTIVITY
If you are publishing 3PP for your B2B customers as a SaaS provider, it is tempting to think that one-to-one file-sharing, workflows, surveying, or portals is an excellent way to distribute 3PP to B2B customers. In actuality, economics and customers demand freedom from the friction of having to utilize hundreds or even thousands of portals, workflows, and one-to-one systems for updates to 3PP. One-to-one doesn’t scale for your B2B customers needing to collect 3PP frequently from many third-parties. All parties involved in the publishing and collection of 3PP benefit when the distribution of 3PP is frictionless, low cost, and without delay. A standardized evidence exchange clearinghouse (many-to-many 3PP) is the best way to move up-to-date 3PP at scale. ProofPort complements your risk and compliance management systems with a standardized, frictionless, and affordable many-to-many conduit of 3PP - a source of up-to-date data for your systems, processes, and teams. ProofPort passes the benefits of many-to-many efficiencies to all participating parties and platforms with free and affordable service that delivers quality data, performance, and advanced capabilities that can only be obtained at scale.
7. 3PP CONTROL
The best types of 3PP validate that a system of controls, for compliance or regulatory requirements, has been maintained, i.e., control has been maintained. This eliminates the need for the more common and riskier approach of validating compliance with periodic audits, surveys, or snapshots, which only prove that a system of control is in compliance at a given point in time. Best practice, whenever possible exchange 3PP that verifies that a system of compliance controls are being maintained.
These 7 useful ways to think about third-party proof within your B2B relationships demonstrate that sharing 3PP is an important set of activities for your Compliance, Sales, Support, Risk, Vendor, and Procurement teams to consider and manage well.
May your 3PP never be out of date again!