Risk Assessments

 View Only
  • 1.  Vendor with escorted or un-escorted access to building

    Posted 06-23-2020 11:09 AM
    Good Morning!

    We are building out our Third Party management processes.  We have run into a gap when considering office access by vendors.  Our current inherent risk questions regarding and engagement do not take into account if a vendor will have escorted or un-escorted access to our office spaces.  An example would be a coffee vendor who has un-escorted access to our different floors to restock, clean and also service the equipment.

    Base don the other risk based questions they show as low, but we need to take into account this physical access risk.  We also have a vendor that services the storage carousels for micro-fiche sheets.  They have access to pocketing some of those which contain PII or PHI or our customer from the past.

    How are others taking this into account?  What mitigation controls do others put in place for these types of vendors?

    Thank you


  • 2.  RE: Vendor with escorted or un-escorted access to building

    This message was posted by a user wishing to remain anonymous
    Posted 06-23-2020 01:13 PM
    This message was posted by a user wishing to remain anonymous

    Hi! 

    we have vendors staff like office messengers,cleaners etc working within the bank's premises.The security guards physically check the vendors staff at the time of the entry & exit.Hops this helps!

    regards,
    Payal 




  • 3.  RE: Vendor with escorted or un-escorted access to building

    This message was posted by a user wishing to remain anonymous
    Posted 06-23-2020 02:02 PM
    This message was posted by a user wishing to remain anonymous

    For us, the risk and our assessment is not just whether a vendor is escorted or not. We look at all the layering of our controls such as, does the vendor only have access only the area required, how effective is our "Clean Desk Policy", what is Info Sec's time for locking out screens and robustness in provisioning user access, are sensitive areas locked down (wire room, FX trading, scanning room, etc.), do we have camera surveillance, how robust is our background check for ongoing vendor personnel, how strong is our contract with penalty clauses (vendor is financially responsible for actions of their personnel), etc.


  • 4.  RE: Vendor with escorted or un-escorted access to building

    Posted 06-23-2020 03:03 PM
    There are other factors we are taking into account as well. You have listed all good factors.  Thank you so much for your input.  I will share with the team.