The process of assessing and monitoring the security risks posed by third-party vendors who have access to organizational data or systems.