Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Fourth Party

    Posted 03-31-2020 09:24 AM
    I was recently made aware that one of our vendors is using a vendor (so a fourth party for us) that it appears our third party did not review. We are attempting to collect due diligence docs on our own and self- review.
    Has anyone run into this before? Did you include it in your vendor management program in order to review it?


  • 2.  RE: Fourth Party

    This message was posted by a user wishing to remain anonymous
    Posted 03-31-2020 09:36 AM
    This message was posted by a user wishing to remain anonymous

    ​As part of our 3rd Party Assessment Process, we review whether our 3rd Party has a Vendor Management Program in place to assess their 3rd Parties (our 4th parties).  If not, we consider it a Finding that requires Remediation.  This issue is brought to the attention of leaders and tracked until remediated.


  • 3.  RE: Fourth Party

    This message was posted by a user wishing to remain anonymous
    Posted 03-31-2020 09:50 AM
    This message was posted by a user wishing to remain anonymous

    We do the same.  It would be considered a Finding to be remediated or risk accepted. Probably a Very High (P1) or High (P2) priority Finding. 

    In some rare cases, we may run a fourth party through our complete program.  One example would be if a third party was selling a service we use to another supplier where at some point after deal close and transition of services, the new supplier would be a third party.

    Thanks.


  • 4.  RE: Fourth Party

    This message was posted by a user wishing to remain anonymous
    Posted 03-31-2020 11:08 AM
    This message was posted by a user wishing to remain anonymous

    ​We ask about any sub-service providers our vendors use and how they are ensuring these sub-service providers are meeting the vendor's control environment (compliance, privacy, cybersecurity, BCP, etc.).  We are only concerned about their critical or significant sub-service providers.  If they have a SSAE 16 report, we look specifically for sub-service providers.  If vendor is not cooperative, we treat the fourth-party as a third-party to us.