Due Diligence and Ongoing Monitoring

  • 1.  4th Party due diligence and assessments

    This message was posted by a user wishing to remain anonymous
    Posted 06-23-2021 01:03 PM
    This message was posted by a user wishing to remain anonymous

    How do you manage 4th party vendors? How are you tracking and what questions are you asking of your 3rd Party vendors to complete 4th party due diligence?


  • 2.  RE: 4th Party due diligence and assessments

    Posted 07-06-2021 08:54 AM
    Good Morning,
    I thought you may find these resources regarding fourth-party vendors helpful, so I wanted to pass them along:

    I'd love to hear if anyone else has tips for managing fourth-party vendors or resources to share.


  • 3.  RE: 4th Party due diligence and assessments

    This message was posted by a user wishing to remain anonymous
    Posted 08-20-2021 01:40 PM
    This message was posted by a user wishing to remain anonymous

    Looking for some assistance in finalizing our fourth-party policy.  I have reviewed the Venminder resources on the topic (very helpful) and I've read much of what has been posted in this forum. There have been instances when we've successfully completed a due diligence review on the 4th party despite not having a contractual relationship with them.  How should we address this in our 4th party policy?  Should our policy specify that we'll attempt to perform a due diligence review of our critical 4th party vendors and provide alternative processes when the vendor refuses?  Is it best practice NOT to directly engage the 4th party?


  • 4.  RE: 4th Party due diligence and assessments

    Posted 08-20-2021 02:09 PM

    I've never reached out directly to a 4th party, but that depends on what you put into your policy.

     

    I've used ideas like – the 3rd party has a vendor management program of their own, so we only request a SOC report of 4th parties that have our data.

                    The 3rd party can generally give you a copy of the 4th party, with permission of course, and possibly an NDA.

     

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer