Third Party Risk Evaluation

Understandably, one of the top priorities for many businesses is third-party vendor risk management. So, what critical elements do we need to consider from a third-party risk perspective? Classification and compliance would be considered at the front of the queue.

E-Sign and other electronic signature providers are considered tier 1 suppliers and with this comes increased scrutiny and security assessment requirements.

E-Sign provides a world-class security and compliance programme, including being ISO 27001, Cyber Essentials Plus, and SOC compliant. As a business or individual, you can feel confident that any potential risks are being addressed by the E-Sign security and compliance team. Compliance is a top priority for our dedicated team. We continually demonstrate how our policies and procedures meet or exceed industry standards. This is achieved by industry best practices, annual independent third-party audits of E-Signs controls, certifications from accreditation bodies including UKAS ISO27001, ITHC and attestations of compliance.

Let’s look at the issues most important to you when assessing security and compliance risks and how we address them. The topics to evaluate for potential risk are listed below, each focusing on a different area of security, privacy and legal compliance:

There are two types of data encryption: at rest and in transit. ‘Data at rest’ refers to data being housed physically on computer data storage, in any digital form. On the other hand, data ‘in transit’ is moving between devices or two network points.

Why is this important?

Data encryption, which prevents data visibility in the event of its unauthorised access or theft, is commonly used to protect data in motion and is increasingly promoted for protecting data at rest.

E-Sign’s security protocol includes the following:

• 256-bit encryption
• Security protocols for SSL certificates, logging into servers and tunnelling
• Data/documents encryption
• Data disposal and reuse policy
• Processes for equipment management and secure media disposal

Keeping customers’ private data and sensitive information safe is essential. it can create a dangerous situation If financial data, healthcare information, and other personal consumer or user data are exposed to the wrong people. Access control is paramount regarding personal information. Individuals can be at risk of fraud and identity theft if controls are not put in place.

E-Sign is compliant with the General Data Protection Regulation (GDPR), the most important data protection regulation in over 20 years, which is important when transferring data between countries, especially in and out of the European Union.

Cybersecurity is an ever-growing concern, as an increasingly large portion of our lives and activities occur online.

How does E-Sign comply?

E-Sign has data management and privacy practices in place around the following:

• Privacy notices
• Data subject rights
• Data deletion and retention
• Data access
• GDPR and other privacy regulations
• Data residency
• Sub-processors
• Training and Awareness
• Governance and accountability

Access controls limit access to information and information processing systems, so that people have enough information to carry out their job, but nothing more and there are processes in place such as access control registers, to remove that access when the employee changes jobs or leaves the company. It’s also crucial that envelopes can only be accessed by authorised parties.

When implemented effectively, access controls mitigate the risk of information being accessed without the appropriate authorisation, unlawfully and the risk of a data breach.

E-Sign addresses access control requirements with the following: 

• User permissions and groups
• Centralised provisions for controlling access via multi-factor authentication
• Password policy
• Compliance visibility: Who has access to what
• A network management system, complete with anti-virus software and malware detectors
• A key management and encryption programme
• Automatic processes for detecting potentially harmful code

“Legal” and “ethical” aren’t necessarily the same thing. Business ethics outlines acceptable behaviours beyond government control.

Ethical behaviours include forced labour and human trafficking, fair pay and more. While the U.K. has the Modern Slavery Act, it’s important from a third-party risk perspective to ensure this is extended to everybody in the supply chain.

Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organisation’s ability to stay operational during or after a disaster. From natural disasters to cyber-attacks, organisations must remain resilient to these types of threats.

Why is this important?

In the event of an adverse event, organisations need to continue business operations with little or no disruptions and minimise any potential risks.

What does E-Sign have in place?

• Regularly reviewed policies and procedures
• Business continuity and disaster recovery plans
• Regular testing of the plan
• Geo-dispersed data centers with built-in redundancy measures
• Elimination of single points of failure
• Near real-time secure data replication