Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Hardware/Software Vendors

    Posted 12-10-2019 02:56 PM
    I'm curious to know how others might classify this. If a maintenance program is "purchased" for Cisco's products/equipment through a Broker, would you consider the broker or Cisco as the vendor? Or both?


  • 2.  RE: Hardware/Software Vendors

    Posted 12-10-2019 04:52 PM
    Hi John-I happened to own Technology Vendor Management (and vendor risk) for Cisco Systems before running the same programs for several other technology and large financial institutions. You are asking a very common (and interesting question) which I will attempt to answer with the information provided (more information may be needed).

    1) Did your organization contract directly with Cisco? If that is the case, even if the maintenance program is fulfilled by a "broker" the vendor is still Cisco and the maintenance provider may also be your direct vendor (or 3rd parrty to Cisco).

    2) When you say "broker" do you mean "reseller"? If you contracted with a VAR (value added reseller) such as NTT, WWT, etc... (I am not intending to make an endorsement just giving examples), the vendor is the reseller. Their vendor (is Cisco) and depending on what contracts are in place for services, Cisco could be considered a "4th party" to your "3rd party" which is the reseller.

    3) A question you didn't ask but I think is relevant. In some cases, the primary technology provider (like Cisco) ends the life of the product and/or ability to get service. In this case, your only options are finding a third party maintenance provider or self-support. In the former case, a vendor like Cisco is no longer on the "hook" as a 4th party. 

    I hope this information was helpful.
    Best,

    Keith Koo


  • 3.  RE: Hardware/Software Vendors

    Posted 12-10-2019 04:58 PM
    One more thing. If you did buy Cisco equipment through a "broker" and bought maintenance through them it is important to know who is fulfilling the maintenance. Examples: 1) Cisco direct 2) Cisco via a service partner or 3) a Third Party Maintenance Provider that does have a relationship with Cisco or 4) a Third Party Maintenance Provider that doesn't have a relationship with Cisco. The 4th category would be rare.


  • 4.  RE: Hardware/Software Vendors

    Posted 12-10-2019 05:35 PM
    Hi, Keith!

    Thank you for the response. Yes, I did mean re-seller/VAR. Technically, I guess Cisco would be the 4th party in my scenario. Cisco would perform the maintenance even though we purchased through the VAR. I did review with my CIO and Risk Manager and we did decide to consider the VAR as the vendor. 

    I appreciate your assistance and your input on this!

    John


  • 5.  RE: Hardware/Software Vendors

    Posted 12-11-2019 08:07 AM
    ​In my program I would treat both as vendors (3rd parties). Both Cisco and the VAR are providing products and/or services to you. I wouldn't consider Cisco a 4th party. VARs make that a little tricky, because you contract with the VAR. But even then, you are agreeing to Cisco's SMARTNet terms or whatever terms govern the maintenance services they're providing to you, in addition to the terms governing the Cisco HW you own.


  • 6.  RE: Hardware/Software Vendors

    Posted 12-11-2019 08:53 AM
    Morning all - 

    My program is in alignment with Josh's - I would treat both Cisco and the VAR as 3rd parties.  Especially given the nature of what Cisco is most likely doing for your organization.  Given all the cyber security and privacy demands on our programs - better to go above and beyond.  

    Shout-out to these Third Party Think Tank discussions - so good to know that others are facing the same questions and tricky paths.


  • 7.  RE: Hardware/Software Vendors

    Posted 12-14-2019 12:57 PM
    I agree with Pam and Josh. CISCO is a 3rd party not 4th. The nature of the service and the relationship defines the party rank. The VAR takes your money and gives it to CISCO (pretty much). Not much about that makes them a 3rd party over and above CISCO.


  • 8.  RE: Hardware/Software Vendors

    Posted 12-12-2019 08:59 AM
    The idea of a third party program is to ensure controls are sufficient to protect your company.  In order to perform diligence it should be contractually agreed upon.  I would focus here to help define the oversight as you can build into the VAR contract requirements for the 4th party audit.  Several large scale companies will sign specific contract to support the ongoing maintenance (externally exposed product support page) and/or professional services of a commercial off the shelf product (e.g. customization, remote access to update, support), the service should be in scope of full review.