Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Offsite Storage/Retention

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2022 10:15 AM
    This message was posted by a user wishing to remain anonymous

    Hello everyone.  I'm curious what due diligence you receive from your vendor that does your offsite storage of retention documents?  The company we use does both our onsite shredding services as well as house our offsite retention items.  

    We are getting ready for an exam and VM will be a hot topic.  

    Someone mentioned creating questionnaires within our system to send to the vendor that doesn't have InfoSec, BCP and/or DR policies in place.  Has anyone done this before? 

    This is their response to our request list:

    • Latest SOC report (SOC 2 is preferred) or equivalent third-party audit for applicable products.  
      • We do not have a SOC report, our NAID certification is the closest thing to that. It is the industry standard for our Industry.
    • If another vendor is critical to support the delivery of your services/products, please also include the SOC report for that vendor, and briefly describe the relationship between your company and the supporting critical vendor.
      • N/A
    • SOC Report Gap/Bridge Letter(s)
      • We do not have a SOC report, our NAID certification is the closest thing to that. It is the industry standard for our Industry.
    • Information Security and Privacy Policies
      • We policies and procedures, we train annually per NAID standards. We do not have specific "Information Security Policies"
    • Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing)
      • We policies and procedures, we train annually per NAID standards. We do not have specific "Cyber/Network Security Policies"
      • We have a professional IT company, they have established firewalls, internet security processes, patch and updates are done on time and as scheduled.
    • Incident Response Policies with client notification protocols
      • We do not have a formal written policy other than what is in our policy and procedures. We do subscribe to CSR - https://urisq.com/ , if there was ever a breach, we would report it to them, they would handle all required notifications.
    • Disaster Recovery/Business Continuity/Pandemic Plans
      • We do not have one
    • Disaster Recovery/Business Continuity Testing Results
      • We do not have one
    • Current Certificate of Insurance (e.g. General Liability, E&O, Cyber)
      • See the attached
    • Latest Annual Financial Statement with period end date of 2020 or 2021 (audited financial statements, including two comparative years of results, with notes preferred)
      • We are a private company and decline to provide this information.


  • 2.  RE: Offsite Storage/Retention

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2022 11:32 AM
    This message was posted by a user wishing to remain anonymous

    My company's vendor was able to provide us with a SOC1, Information Security Policy, Information Security Procedures, Certificate of Insurance (general liability), and last year's Financials (which Venminder conducted a financial health analysis on). Vendor omitted the response to a SOC 2 and other areas. Like many of our vendors, the retention vendor chose not to navigate through Venminder to complete our questionnaire request and we had to download the Excel version of the questionnaire and email it directly to our rep. Any of the items requested that were not provided were identified and notice of the them were given to management.


  • 3.  RE: Offsite Storage/Retention

    Posted 03-17-2022 01:07 PM

     

    Off the topic of your questions, can you share who you use for retention, if you recommend?

     

    Thanks,


    Jennifer Lucas, CRVPM

    Corporate Administrator

    DuPont Community Credit Union

     

    Personal Information: DCCU will never send unsolicited e-mails asking for your personal or account information such as account numbers, passwords, social security numbers, PINs, credit or debit card numbers, or other confidential information.  
     
    Confidentiality Note: This e-mail message is intended solely for the individual or individuals named above. This e-mail and any attachments are confidential. If the reader of this message is not the intended recipient, you are requested not to read, copy or distribute it or any of the information it contains.  Please delete it immediately and notify us by return e-mail or by telephone at (540) 946-3200
     

     






  • 4.  RE: Offsite Storage/Retention

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2022 01:34 PM
    This message was posted by a user wishing to remain anonymous

    Jennifer we use a local company here in Las Vegas, Nevada (Assured Document).  We will most likely be starting to look for a new company.


  • 5.  RE: Offsite Storage/Retention

    This message was posted by a user wishing to remain anonymous
    Posted 03-17-2022 02:30 PM
    This message was posted by a user wishing to remain anonymous

    Our document retention storage vendor provides each year BCM/DR plan, SOC reports for both them  and their key providers, security/privacy policies, COI's, copies of various corporate polices, Incident management plan. So far not encountered any issues in obtaining teh required documentation or in having any follow up questions answered.