A Practice Note explaining how to manage privacy and data security risks created by vendors and service providers. This Note provides guidance for developing a privacy and data security vendor management process, including due diligence questionnaires and assessments, contracting strategies, and continued vendor oversight. This Note also addresses the role of vendor and supply chain risk management in an organization's overall information security program.