Due Diligence and Ongoing Monitoring

  • 1.  Due Diligence Docs

    This message was posted by a user wishing to remain anonymous
    Posted 10-04-2021 12:36 PM
    This message was posted by a user wishing to remain anonymous

    As part of our annual due diligence we ask for updated documents such as Information Security, Privacy, and applicable Compliance Policies (AML, PCI, NACHA, BSA, etc.), Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing)

    Incident Response Policies with client notification protocols, Disaster Recovery/Business Continuity/Pandemic Plans, Disaster Recovery/Business Continuity Testing Results as this is not always discussed in the SOC report.  I am finding it harder to collect these documents as the vendor does not want to share them and are confidential.  Thoughts on how to get around this?

  • 2.  RE: Due Diligence Docs

    Posted 10-05-2021 02:27 PM

    I'm going to give you a different perception than most, but this works well when you are not the big dog in the relationship.  Retain a minimum amount of another organizations confidential information;  especially if you have a SSAE SOC2 that includes the review.  If you do not have requirements for an independent attestation in agreements, it should added.  Contractual Right to Audit has to be explicit to access sensitive corporate information.  Additionally, you limit the risk of a data leak/breach if your organization or third party provider that store this data.  Example: 


    • Onboarding:
      • Process to review documentation in full (desktop procedures)
        • Keep of things to keep
          • Full SOC2 report
          • Policy Table of Content
          • Application Vulnerability Executive Summaries
          • Network Penetration Test Executive Summary
          • Third Party Program Oversight Reporting and possible contract clauses
          • Aggregate Incident Metrics
          • etc
    • Ongoing Due Diligence
      • Notification of material updates or issues that support/impact product/service
      • SSAE SOC 2/SOC 1 and PCI (if applicable) reports – when completed (not at time of next assessment)
      • Artifact Updates – example Policy change – scope of change and date
      • Regular Network/Application Vulnerability test summaries (if issues are found – set up a meeting to review )






    Michelle R Vitali      CISSP, CRISC, CDPSE, CTPRP
    Vice President | RCA Professional

    U.S. BANCORP made the following annotations
    Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.