Good Morning!
I hope you will allow me to join your WAN conversation party! Venminder approaches risk and criticality as 2 separate classifications. A critical vendor is one where 1) a sudden disappearance would cause a material disruption to your business, 2) a disappearance would impact your customers, and/or 3) the time to recover is greater than 24 hours/1 business day (or any other length of time determined by your institution as a critical time limit). Conversely, a non-critical vendor does not meet any of these designations.
Risk is determined by a number of factors, including but not limited to the responses to these questions:
Have there been any reported/disclosed violations of law or regulatory guidance?
Are all policies and procedures reviewed and approved on an annual basis?
Are all materials, terms and conditions required to have the organization's review and approval prior to distribution by the vendor?
Does the vendor process transactions on behalf of your organization, customers or employees?
Is sensitive data, such as nonpublic information (NPI) or personally identifiable information (PII), being exchanged?
Considering the WAN vendor in your original question, a service provider that can be easily replaced may be considered a non-critical vendor. The risk is going to be determined by considering a range of factors, especially the questions listed above. I recommend referencing the infograph
The Differences Between A High-Risk and Critical Vendor, for more explanation in the differences between criticality and risk.
Original Message:
Sent: 02-04-2020 01:50 PM
From: Anonymous Member
Subject: Wan providers
This message was posted by a user wishing to remain anonymous
In my opinion, there are too many unstated variables to provide an all-encompassing answer to your question. It would be helpful to know more about what type of WAN you're referencing. Is the service provided a critical service? How reliant are you on that provider?
For example, up until about 2 years ago our ISP was classified relatively high because we had a few locations where there were no competing service providers of a scale that we could utilize. If the ISP were non-functional, some of our locations would have been unable to utilize our core operating system and would have had to close. Recently, however, a second large ISP expanded its territory and we were able to add redundancy to all locations, plus a failover that has been operating seamlessly. In this example, the due diligence requirements would be different for the large ISPs and one of the smaller ISPs (had we chosen to use one).
Maybe you can provide more info?
Original Message:
Sent: 02-04-2020 08:10 AM
From: Anonymous Member
Subject: Wan providers
This message was posted by a user wishing to remain anonymous
Can anyone provide insight? Are WAN,core-network,fiber providers lower risk since they can be easily replaced?
Original Message:
Sent: 01-30-2020 10:09 AM
From: Anonymous Member
Subject: Wan providers
This message was posted by a user wishing to remain anonymous
What due diligence is recommended for WAN service providers?