Policy, Program and Procedures

 View Only
  • 1.  Vendor Portal Procedures

    Posted 05-03-2022 03:41 PM
    Hi All,

    As you are aware, many vendors have portals that we log in to for the various services they provide. Some have Private Individual Informaton of our members/customers, some do not. Some have Multi Factor Authentication to access them and some do not. We recently completed a review of all our vendor portals for the first time and checked access levels, users, etc. 

    With that being said, this is new and we do not have a procedure in place and I've been tasked with creating one.

    Do any of you have a procedure you can share that I can use as a guide, to help with this task? I'd hate to have to invent the wheel, if there is some guidance out there.

    Thanks so much! I'm very excited to be a new member of this group.

     Cheryl Turner

  • 2.  RE: Vendor Portal Procedures

    Posted 08-23-2022 12:48 PM
    Hi Cheryl,   

    We have not broken out a separate process for vendor portals but from what you are describing, many of these data points would be captured in our application risk assessment and user access reviews.  Those processes fall outside TPRM at our organization and instead would be handled by our information security and information technology teams.

    Shelly Chase
    AVP Operational Risk

  • 3.  RE: Vendor Portal Procedures

    Posted 08-23-2022 07:25 PM
    I would recommend adding it to your existing procedures document and simply walk through what you do. 
    Remember, Policy explains What you do... but Procedures explain How you do it. 

    So if you have framework for your Due Diligence processes/procedures you'll be adding the review and assessment of vendor provided portals to that due diligence process. I recently had to update procedures related to Cloud hosted services, where the administration of user access was performed by the business unit directly and not IT. (Not a recommend process; but I have some legacy SaaS solutions that are managed by the business unit and not IT). 

    The procedure was just a few sentences. And reference to cadence of review based on our due diligence lifecycle chart... which is simple. 
    If the Inherent Risk is High - Risk Assessments and Due Diligence are reperformed at least Annually. If Medium, then at least every 2 years; and Low is every 3 years... I've copied the Procedural statement below. (VRMO - Vendor Risk Management Office and VCO is the Vendor Contract Owner) btw, don't blame me for the acronyms, they brought Accenture on-board before they hired me... :-) 

    6.6      Additional Due Diligence review for services hosted in a "Cloud" environment.

    Services contracted for, that are hosted in a "Cloud" environment (such as SaaS or PaaS), where the Bank has shared responsibilities expressly stated in the contract will be reviewed by VRMO and Information Security to ensure that the Bank's interests are protected. The review will determine if the VCO have the necessary technical skills to properly perform their contractual "Client responsibilities" as specified in the contract.

     The review period of such Additional Due Diligence will be performed based on the risk rating; see chart above.

    Bradley Martin