Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Vendor non-compliance

    Posted 10-13-2020 10:48 AM
    Good morning,

    I'm wondering if anyone has any process/procedure on how to deal with critical or high-risk vendors that refuse to complete a security questionnaire/assessment. As we are developing our TPRM program one of our areas of concern is how to deal with vendors that do not want to complete our required questionnaire. At this point we just enter them into our risk register, and I know we'll have to communicate this information with the business unit and the vendor. 

    Any and all feedback will be greatly appreciated. Thank you.

    Respectfully,

    David Medina, Information Security Analyst III


  • 2.  RE: Vendor non-compliance

    Posted 10-13-2020 01:25 PM
    Yes, choose another vendor.
    I get that critical and high-risk usually mean that they are the only vendors that provide a specific service or product but we have to be able to just walk away from organizations that will not prove (somehow) that they can meet the privacy or security controls that are in place. Many times these controls are linked to client Statements of Work or other contractual obligations. We can't leave ourselves open to catastrophic situations. 

    Not the answer you are looking for but it has to be to protect your clients and your shareholders.


  • 3.  RE: Vendor non-compliance

    Posted 10-19-2020 03:02 PM
    ​Hi David - Great question!  I think we all run into this at some point in the lifecycle.  Is there a reason why they will not fill out the questionnaire?

    There are a couple of routes we take we run into this issue.  First, you may want to leverage the current contract; specifically, the Right to Audit section.  From my experience; however, this section is pretty vague and generally tie into on-site visits.  If the Right to Audit section doesn't contain what you might be looking for, if a new vendor, you may be able to, at the time of contract negotiation, incorporate an addendum that outlines the specific expectations for the review -  timelines (no less than annually) and the expected due diligence documents that will be necessary to complete the review.  If an existing vendor, however, you may need to wait for renewal to incorporate the addendum.  

    There may also be other documents you can request that might answer your questions.  For instance, if your questionnaire has a question regarding encryption in-transit and at rest, you should be able to obtain the information from an encryption policy or other InfoSec policies.  Finally, we try to set up calls with someone from the vendor's IT department to try to walk through specific questions we may have.  Make sure, if you do have these calls, you document who, when, etc. in your system and as part of the review 

    I know there is a lot in the response, but I hope this helps.