This message was posted by a user wishing to remain anonymous
For us, the risk and our assessment is not just whether a vendor is escorted or not. We look at all the layering of our controls such as, does the vendor only have access only the area required, how effective is our "Clean Desk Policy", what is Info Sec's time for locking out screens and robustness in provisioning user access, are sensitive areas locked down (wire room, FX trading, scanning room, etc.), do we have camera surveillance, how robust is our background check for ongoing vendor personnel, how strong is our contract with penalty clauses (vendor is financially responsible for actions of their personnel), etc.
Original Message:
Sent: 06-23-2020 11:08 AM
From: Jeff Bater
Subject: Vendor with escorted or un-escorted access to building
Good Morning!
We are building out our Third Party management processes. We have run into a gap when considering office access by vendors. Our current inherent risk questions regarding and engagement do not take into account if a vendor will have escorted or un-escorted access to our office spaces. An example would be a coffee vendor who has un-escorted access to our different floors to restock, clean and also service the equipment.
Base don the other risk based questions they show as low, but we need to take into account this physical access risk. We also have a vendor that services the storage carousels for micro-fiche sheets. They have access to pocketing some of those which contain PII or PHI or our customer from the past.
How are others taking this into account? What mitigation controls do others put in place for these types of vendors?
Thank you