Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Low Vendors

    Posted 03-16-2021 03:18 PM

    Good Afternoon, 

    TPRM, IS Security, and Privacy are beginning the discussion around some of our low vendors and trying to determine if we need to continue doing Information Security and Privacy due diligence when the risk is very low. Curious if others have specific criteria or thresholds or a simplified due diligence questionnaire for these low risk vendors? 

    Thank you, 
    Nick Petersen



  • 2.  RE: Low Vendors

    Posted 03-16-2021 07:44 PM
    When it comes to Information Security, I usually take the stance of being a bit more aggressive and be a bit more critical during the risk assessment phase.  For discussion sake, let's assume your risk assessment is in two parts.  The general risk assessment is one and the other being InfoSec.   Let's say that the general risk assessment deems a vendor to be low at which point we move onto the InfoSec questions.  In my book the very first question is, "will this vendor have access to client data."   If the answer is Yes, then regardless of the answers for the rest of the InfoSec questions, this vendor would remain on the books and should require some sort of InfoSec assessment.  

    Perhaps you could look at your InfoSec assessment.  It may be 50 questions long which is perfectly fine for a high risk vendor, but maybe you only need to cover 25 for a low risk vendor.   If you have a vendor that is low risk, I've usually find that we can look over the questions and see which ones are critical to understand and which ones are more of a clarifying point.

    In the end, I would suggest caution and don't be too quick in cutting corners when it comes to safeguarding your companies and clients, data.    



  • 3.  RE: Low Vendors

    Posted 03-23-2021 10:37 AM
    Thanks Carl for the response, we do have different versions a "long" and a "short" dependent upon certain criteria. We are just trying to think of ways to streamline our process as the volume has increased for onboarding new vendors. We have seen a significant number of them being low category based on our initial risk assessment but having only for example name and email address. I was just curious how others were tackling these low vendors and how they were scaling their assessments. 

    Thank you again, 
    Nick Petersen