Policy, Program and Procedures

 View Only
  • 1.  What is a vendor?

    This message was posted by a user wishing to remain anonymous
    Posted 04-02-2021 08:28 AM
    This message was posted by a user wishing to remain anonymous

    What is your definition of a vendor?

    With an ever-growing list of vendors in our organization, I am attempting to create a firm definition on what constitutes as a vendor --- in hopes to eliminate the amount of vendors we perform risk assessments on, perform due diligence reviews, etc.

    1. Does anyone have a good way to categorize what they will not consider a vendor before walking-through a risk assessment? 
    2. What types of vendors do you exclude from risk assessments and/or due diligence reviews (i.e. magazine subscriptions? online job surfing portals? social media pages? certain utility vendors, office supplies, etc.)? 
    3. Are there any questions you ask your Business Owners to determine whether or not you consider this a vendor?
    Any additional insight would be much appreciated!  The easier we can make this on ourselves and our Business Owners, the better!

  • 2.  RE: What is a vendor?

    Posted 04-02-2021 08:54 AM
    Hey there - Sounds like you have two needs each of which should be establish in a Vendor Risk Management Charter:
    1. Defining what a vendor/supplier is to your organization
    2. Defining which of these vendors/suppliers are of potential risk to your organization
    For #2 look to your sensitive data to define your scope. Do you have a data classification policy? What third parties manage it, host/store it, process or transmit it, has access to it within your environments or theirs (i.e., a SaaS solution your teams use), etc. From this you'll be able to effectively determine those who may impact your organization's security, product availability, and/or business continuity of operations (performing a Business Impact Analysis will effectively determine this). Any outside of these considerations would ultimately be out-of-scope (such as your examples like magazine subscriptions).

    This will be an ideal baseline of determining your vendors who should be subject to risk reviews (inherent/pre-contract and residual/ongoing). You can then engage Business Owners (especially your IT teams) to help advise those who fall into those buckets if you can't readily identify that yourself. It should also go without saying that working closely with your Procurement/Purchasing team will be essential to the success of your VRM operations. 

    In a VRM Charter you should establish what your risk evaluation procedures will be. This strategy can come from an industry recognized framework to ensure you're aligning with best practices as well. It'll make your procedures easier to understand and be adopted across the business if your goals and objectives are clearly understood by Business Owners. Furthermore, if your company undergoes any annual audits this will also service as evidence for those purposes (Ex: PCI DSS, SOC 1 or SOC 2)​.

    Hope this helps!

    Brad B.

  • 3.  RE: What is a vendor?

    Posted 04-02-2021 09:00 AM

    The Office of the Comptroller of the Currency (the "OCC") defines a third-party relationship as

    "any business arrangement between a bank and another entity, by contract or otherwise, including activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements where the bank has an ongoing relationship or may have responsibility for the associated records.  Third-party relationships generally do not include customer relationships."


    In our policy statement, we specifically exclude from oversight

    • Federal and State government agencies
    • Banks or Thrifts with oversight provided by the Office of the Comptroller of the Currency, Federal Reserve Board of Directors, Office of Thrift Supervision, or other government oversight organization[1],
    • Major credit bureaus,
    • External parties which do not meet the Office of the Comptroller of the Currency's definition of a Third-party Relationship, 
    • Donations,
    • Sponsorships,
    • Subscriptions


    Please let me know if you have questions, or if I can provide additional information at this time.


    Rosalie Stremple, MS-MIS, CTPRP, CBCP

    Vice President