Policy, Program and Procedures

 View Only
  • 1.  Exclusions within Policy

    Posted 11-19-2019 06:35 PM
    We are contemplating excluding certain types of third parties from our TPRM program.  For instance, flower shops, store that sells training materials, etc.  What types of third parties do you exclude today?


  • 2.  RE: Exclusions within Policy

    Posted 11-20-2019 08:22 AM
    ​We don't exclude anyone. We run all new vendors through a short inherent risk questionnaire. If they come out "Exempt" then that's all we do (although we re-verify that rating annually). We do it this way to take the subjectivity out of it. For instance, some people might think the cleaning company should be excluded from the program. But they have access to sensitive data, so they are not Exempt. If you can structure an efficient intake process that allows you to quickly and objectively assess the inherent risk of all vendors, I have found that to be the best way of determining who should be included in the program.


  • 3.  RE: Exclusions within Policy

    Posted 11-20-2019 08:27 AM
    ​Hi Barb- We exclude vendors who are non-material and would have absolutely no negative impact on our ability to operate- caterers, office furniture supplier etc.
    We do include anyone who would fall into GLBA or have access to our operational floor/offices or technology.




  • 4.  RE: Exclusions within Policy

    Posted 11-20-2019 09:00 AM
    In my program - we include any and all vendors/suppliers that receive payment in exchange for goods and services.  The initial on-boarding is very quick so any vendor that exposes us to little or no risk, ie the florist, is quickly identified as an approved vendor.  I have found this eliminates any confusion within my company - if its a new vendor, the vendor owner has to talk to someone in Vendor Risk Management.  VRM then decides how deep the on-boarding and on-going vendor management will be. The other "hazard" I have encountered is that if a vendor initially is providing us with a low risk service, IE TV repair person, once they are listed as an approved vendor,  the business may begin using them for other work i.e. TV repair person is also skilled in repairing equipment that sits in my data center, suddenly a vendor that was initially exempt from review, is working in my data center.  True story.  Moral of my story, review everyone at the beginning so they are on your radar and you have some type of documentation on file.