Due Diligence and Ongoing Monitoring

  • 1.  Vendor Review Consolidation

    Posted 07-07-2021 02:12 PM

    As I look across my vendor landscape, we have a TPRM review for each use case of a vendor. For instance, we have multiple reviews for Microsoft products. Do you consolidate these use cases in to one review or keep them separate?



  • 2.  RE: Vendor Review Consolidation

    This message was posted by a user wishing to remain anonymous
    Posted 07-07-2021 03:02 PM
    This message was posted by a user wishing to remain anonymous

    With my current and my two prior employers, we reviewed each vendor by product.  

    Each product is reviewed separately.  




  • 3.  RE: Vendor Review Consolidation

    Posted 07-08-2021 11:41 AM
    Hi,
    We review each product separately, but there are some exceptions. If multiple products within one vendor have the same level of access to information, the same vendor owner, and can be risk assessed the same way, we keep them together. It is rare that this happens. I let the vendor owner make this determination, since they are the one completing our internal review questionnaire.


  • 4.  RE: Vendor Review Consolidation

    Posted 07-08-2021 11:46 AM
    Denise,

    Can you share a sample of the internal questionnaire you provide your vendor owners to complete, please?

    Thanks,


  • 5.  RE: Vendor Review Consolidation

    Posted 07-08-2021 01:21 PM
    Hi Jennifer,

    It is an interactive document, but the questions I have the vendor owner answer are the product name and details, vendor contact information, and then the following:

    1. Does this vendor have equipment that requires an upgrade? ☐ Yes ☐ No
    2. Does the vendor have access to member information? ☐ Yes   ☐ No
    3. Does the vendor have access to employee information? ☐ Yes   ☐ No
    4. Does the vendor have access to confidential company information? ☐ Yes   ☐ No
      • If Yes was selected for 2, 3, or 4 - how will the vendor receive this information?
    5. Does this vendor have access to card data? ☐ Yes ☐ No
      • If Yes was selected, please include PCI certification with due diligence.
    6. Does this vendor require user access (username and password)? ☐ Yes   ☐ No
    7. Will this service or product include technology that company will own or operate?  ☐ Yes   ☐ No
    8. Does this service or product include technology that will be operated or owned by a third party? ☐ Yes   ☐ No
    9. Is this vendor's service/product continuing to meet company needs? ☐ Yes   ☐ No
      • If Yes was selected, will we be renewing agreement? ☐ Yes   ☐ No
      • If No was selected, please include deconversion language from contract:

    Sorry if the formatting is a little off from pasting, but some of these questions are part of our risk assessment, so if all of the responses are the same for multiple products within the same vendor, I keep their product listings separate but use the same assessment.