Due Diligence and Ongoing Monitoring

  • 1.  Service Desk Vendors

    Posted 06-17-2021 09:49 AM
    We are currently looking at utilizing a service desk vendor and wondering what kind of due diligence do we need to review from them? Would anyone have any recommendations? 


  • 2.  RE: Service Desk Vendors

    Posted 06-18-2021 08:30 AM
    We consider our service desk vendor relationship to be a critical relationship and evaluate it at our highest level of due diligence requirements.  We would therefore ask for SOC 1 & 2 (if both available), financials, DR/BCP plan and testing results, copy of third party risk policy, copy of privacy policy, copy of infosec policy and current COI.  We additionally request copies of any cyber security or third party risk assessments or certifications such as PCI, SIG, Privacy Shield or ISO.  Finally, InfoSec reviews and may run a third party assessment such as Normshield.


    Shelly Chase
    Senior Risk Analyst Officer