Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

With my current and my two prior employers, we reviewed each vendor by product.  

Each product is reviewed separately.  

Original Message:
Sent: 07-07-2021 02:12 PM
From: Ken Claeson
Subject: Vendor Review Consolidation

As I look across my vendor landscape, we have a TPRM review for each use case of a vendor. For instance, we have multiple reviews for Microsoft products. Do you consolidate these use cases in to one review or keep them separate?

Hi,
We review each product separately, but there are some exceptions. If multiple products within one vendor have the same level of access to information, the same vendor owner, and can be risk assessed the same way, we keep them together. It is rare that this happens. I let the vendor owner make this determination, since they are the one completing our internal review questionnaire.
Original Message:
Sent: 07-07-2021 02:12 PM
From: Ken Claeson
Subject: Vendor Review Consolidation

As I look across my vendor landscape, we have a TPRM review for each use case of a vendor. For instance, we have multiple reviews for Microsoft products. Do you consolidate these use cases in to one review or keep them separate?

Denise,

Can you share a sample of the internal questionnaire you provide your vendor owners to complete, please?

Thanks,
Original Message:
Sent: 07-08-2021 11:41 AM
From: Denise Dalrymple
Subject: Vendor Review Consolidation

Hi,
We review each product separately, but there are some exceptions. If multiple products within one vendor have the same level of access to information, the same vendor owner, and can be risk assessed the same way, we keep them together. It is rare that this happens. I let the vendor owner make this determination, since they are the one completing our internal review questionnaire.
Original Message:
Sent: 07-07-2021 02:12 PM
From: Ken Claeson
Subject: Vendor Review Consolidation

As I look across my vendor landscape, we have a TPRM review for each use case of a vendor. For instance, we have multiple reviews for Microsoft products. Do you consolidate these use cases in to one review or keep them separate?

Hi Jennifer,

It is an interactive document, but the questions I have the vendor owner answer are the product name and details, vendor contact information, and then the following:

1. Does this vendor have equipment that requires an upgrade? ☐ Yes ☐ No
2. Does the vendor have access to member information? ☐ Yes   ☐ No
3. Does the vendor have access to employee information? ☐ Yes   ☐ No
4. Does the vendor have access to confidential company information? ☐ Yes   ☐ No
   • If Yes was selected for 2, 3, or 4 - how will the vendor receive this information?
5. Does this vendor have access to card data? ☐ Yes ☐ No
   • If Yes was selected, please include PCI certification with due diligence.
6. Does this vendor require user access (username and password)? ☐ Yes   ☐ No
7. Will this service or product include technology that company will own or operate?  ☐ Yes   ☐ No
8. Does this service or product include technology that will be operated or owned by a third party? ☐ Yes   ☐ No
9. Is this vendor's service/product continuing to meet company needs? ☐ Yes   ☐ No
   • If Yes was selected, will we be renewing agreement? ☐ Yes   ☐ No
   • If No was selected, please include deconversion language from contract:

Sorry if the formatting is a little off from pasting, but some of these questions are part of our risk assessment, so if all of the responses are the same for multiple products within the same vendor, I keep their product listings separate but use the same assessment.
Original Message:
Sent: 07-08-2021 11:45 AM
From: Jennifer Lucas
Subject: Vendor Review Consolidation

Denise,

Can you share a sample of the internal questionnaire you provide your vendor owners to complete, please?

Thanks,
Original Message:
Sent: 07-08-2021 11:41 AM
From: Denise Dalrymple
Subject: Vendor Review Consolidation

Hi,
We review each product separately, but there are some exceptions. If multiple products within one vendor have the same level of access to information, the same vendor owner, and can be risk assessed the same way, we keep them together. It is rare that this happens. I let the vendor owner make this determination, since they are the one completing our internal review questionnaire.
Original Message:
Sent: 07-07-2021 02:12 PM
From: Ken Claeson
Subject: Vendor Review Consolidation

As I look across my vendor landscape, we have a TPRM review for each use case of a vendor. For instance, we have multiple reviews for Microsoft products. Do you consolidate these use cases in to one review or keep them separate?