This discussion will cover how to build/evaluate a mitigation risk framework for third-party vendors. It will examine some standard industry forms of attestation (PCI ROC, SSAE 16, SOC 2), criteria for evaluating risk (sensitivity of data, controls around access, scale of data, reputation of vendor) and contractual protections (employee screening, incident notification requirements, audit rights).