Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Off Boarding Vendors

    Posted 05-11-2020 03:17 PM
    Good Afternoon,

    We are currently in the process of developing our TPRM program. One of our projects within the program is defining and formalizing exit/termination requirements for vendors. While I understand that there should be language in the contract with the vendor, I'm curious to know what is being used by other companies as a formal process, checklist, workflow, etc. when they are off boarding vendors.

    Any and all input would be greatly appreciated. Thank you.


  • 2.  RE: Off Boarding Vendors

    Posted 05-12-2020 10:16 AM
    We have a playbook for vendor acquisition. What we did is simply "reverse engineer" the process for off-boarding.


  • 3.  RE: Off Boarding Vendors

    Posted 05-12-2020 11:08 AM
    Makes perfect sense. Thank you.


  • 4.  RE: Off Boarding Vendors

    Posted 05-12-2020 10:32 AM
    I agree with Paul, "reverse engineering" is one of the most efficient approaches. To add to that, from an InfoSec perspective, it is important to have something about decommissioning access rights to systems, facilities, etc. Further, to ensure that decommissioning process is being done, it would be prudent to enforce a periodic review (every 90 days or so, unless you desire more frequency) of physical and user access rights to ensure only authorized users have access, and that any decommissioning events that slipped through the cracks are identified and rectified. Everything else as far as confidentiality, non-disclosure, non-compete, etc. clauses should be handled contractually. Lastly, I'd recommend having a contingency plan in place to ensure a continuity of service in the event a vendor has to be off-boarded expeditiously. I hope this helps!


  • 5.  RE: Off Boarding Vendors

    Posted 05-12-2020 11:08 AM
    Definitely helps...thank you!


  • 6.  RE: Off Boarding Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 05-12-2020 11:03 AM
    This message was posted by a user wishing to remain anonymous

    Based on inherent risk, financial stability, etc., we have a good number of our engagements with an Exit Strategy. Additionally the LOB completes a Termination checklist assessment for all exiting relationships, and require a termination letter acknowledged by the Third Party. Our contracts have a Termination clause which includes deconversion and orderly transition.

    Hope this helps.


  • 7.  RE: Off Boarding Vendors

    Posted 05-12-2020 11:09 AM
    Yes it does help. Thanks for the info!


  • 8.  RE: Off Boarding Vendors

    Posted 05-12-2020 01:25 PM
    May I ask what your termination checklist assessment consists of?  I've come up with things I think it should include, but was curious if there are things that I am not thinking of.

    Thanks.


  • 9.  RE: Off Boarding Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 05-12-2020 02:06 PM
    This message was posted by a user wishing to remain anonymous

    Sure. See below. You could re-frame based on how you would plan to use.

    Document the justification for termination of the relationship.

    Identify all impacted Stakeholders.

    Has an exit plan been developed for this relationship?

    Review the existing exit plan to determine if it contains any information that can support the termination process.

    I have engaged with Legal Department to determine the steps necessary to terminate the contract (Provide Legal resource with copy of current contract, scope of service being terminated and current Exit Plan if applicable). (Yes or No)

    Schedule review with Legal Department (and Procurement if applicable) for direction on contractual obligations for this termination

    Identify all applicable risk related reasons for termination.

    Has the Supplier acknowledged the notification of the intent to terminate the relationship? 

    Has the termination been communicated to all impacted stakeholders? 

    Has formal documentation (including emails, letters, etc.) of the contract's termination (or lack of renewal) been stored within the repository folder and provided to Legal Department?

    Has all confidential and proprietary information been received back from the Supplier?

    Has a certification of the materials' destruction been received?

    Have you verified that the Supplier and its employees and/or contracted employees have undergone formal deprovisioning to remove access to our systems and/or secure our locations? 

    Have all connections to the company network, such as VPNs or other direct connections been terminated? 

    Have all automated data transmissions to or from the Supplier been terminated?

    Has the Supplier returned all physical and logical assets to their respective business unit (including offsite backups or assets in other locations)? 

    If the Supplier provided software development services or services that included the creation of custom code, has the source code been obtained for future use? Provide details as to the location of the source code.

    As of the termination date, has all the historical information related to the Supplier been stored to comply with our records information management policy (e.g., retention of financial data, acknowledgement of post contractual obligations, risk assessments, scorecard, etc. )?

    Provide all formal documentation (including emails, letters, etc.) of the contract's termination (or lack of renewal).




  • 10.  RE: Off Boarding Vendors

    Posted 05-14-2020 10:28 AM
    Thank you very much.  This is very helpful.