Risk Assessments

 View Only

  • 1.  Outsource experience with InfoSec reviews

    This message was posted by a user wishing to remain anonymous
    Posted 05-04-2021 11:19 AM
    This message was posted by a user wishing to remain anonymous

    Team,

    I'm interested in your experience with outsourcing the InfoSec review portions of the Due Diligence & Risk Assessment. 

    We are looking for some scalable/on-demand assistance for our InfoSec SME team. 

    Have you used KY3P, TruSight, or a similar provider? 
    What was the impact/saving, if any, to your SME team?  e.g. allowed my SME team to focus on the 20% with material follow-ups
    Was it a risk based assignment of work to the outsource?  e.g. our lowest inherent risk is always outsourced, our highest inherent risk remains in-house.
    Did their review standards fall short, meet, or exceed you own?


    Any other feedback welcome.


  • 2.  RE: Outsource experience with InfoSec reviews

    Posted 05-17-2021 10:13 AM
    We have not found an outsource partner who is mature enough to meet our needs. Sure, they are asking the right questions but that is a low bar. It is the interpretation of the answers that they struggle with. Our questionnaire is more like, "please explain your policy and procedure for X" and not "Do you have a X policy?" The binary answers never provide the detail needed to determine whether your suppliers will be effective in managing their own risk. 

    However, this is a "your milage will vary" sort of thing. It just hasn't been something that we have been able to find value in.
    Original Message