This message was posted by a user wishing to remain anonymous
Hi Mark. I wonder if it makes sense to consider a vendor critical just based on their network access? My understanding is that a critical vendor is one that you can't go without. Whereas a vendor with physical or logical access would be considered a high risk.
Either way, I believe that the best mechanism for ongoing monitoring of such vendors would fall under information security. There should be security monitoring in place on the network at all times. As for the relationship managers' involvement, depending on how you're setup, I would say they're mostly in charge of any SLAs that are in place, which doesn't directly tie to the network risk, but it's important. Also, if we're talking about physical access like personnel inside your doors, keeping track of HR policies, personnel changes and background checks is important.
Ongoing monitoring sometimes is also just making sure the company stays in good standing financially and from a security perspective. Once you start requiring a checklist, that's more like a "point in time" assessment or periodic review. When I think of ongoing, I think "fluid". Hope this helps - and I'm interest to hear more perspective on this...
Original Message:
Sent: 06-16-2020 09:44 AM
From: Mark Ewert
Subject: Oversight & Monitoring Vendors with Access to your Environment
If you have a vendor identified as Critical solely because of their access to your environment (physical or logical), what do you review as part of your ongoing oversight and monitoring of that vendor?
Do you have a form or questionnaire the relationship manager must complete to track the oversight and monitoring? If you do, will you share it with me?