Risk Assessments

 View Only

  • 1.  Vendor Risk Assessments vs Product Risk Assessments

    This message was posted by a user wishing to remain anonymous
    Posted 03-04-2020 01:44 PM
    This message was posted by a user wishing to remain anonymous

    ​​We are having a discussion at our company on the risk assessment questions pertaining to cybersecurity of vendors when the vendor offer multiple products. Do you assess a vendor by product offering or just the vendor itself? What are you doing with some of these big vendors that have acquired companies and the operating systems may be completely different? We have been requesting a SOC 2 for the services that the vendor is providing to us. But we now find ourselves with the same vendor and multiple services. We thought about putting all of the services under one vendor, however, the business owner and vendor contacts are different. We do not want to send multiple questionnaires to the same vendor for each product. Can anyone offer any insight if you have dealt with this?
    Thanks.


  • 2.  RE: Vendor Risk Assessments vs Product Risk Assessments

    Posted 03-05-2020 08:10 AM
    ​We assess vendors and products. One vendor assessment, and then separate assessments for each product. In cases where one vendor provides multiple products we do send multiple product questionnaires to the vendor. We've never gotten pushback on this. Different products can have very different risk profiles even from the same vendor (e.g., hosted software versus on-prem software) and it's important to understand those differences.
    Original Message