Due Diligence and Ongoing Monitoring

If you have a vendor identified as Critical solely because of their access to your environment (physical or logical), what do you review as part of your ongoing oversight and monitoring of that vendor?

Do you have a form or questionnaire the relationship manager must complete to track the oversight and monitoring? If you do, will you share it with me?

This message was posted by a user wishing to remain anonymous

Hi Mark. I wonder if it makes sense to consider a vendor critical just based on their network access? My understanding is that a critical vendor is one that you can't go without. Whereas a vendor with physical or logical access would be considered a high risk. 

Either way, I believe that the best mechanism for ongoing monitoring of such vendors would fall under information security. There should be security monitoring in place on the network at all times. As for the relationship managers' involvement, depending on how you're setup, I would say they're mostly in charge of any SLAs that are in place, which doesn't directly tie to the network risk, but it's important. Also, if we're talking about physical access like personnel inside your doors, keeping track of HR policies, personnel changes and background checks is important. 

Ongoing monitoring sometimes is also just making sure the company stays in good standing financially and from a security perspective. Once you start requiring a checklist, that's more like a "point in time" assessment or periodic review. When I think of ongoing, I think "fluid". Hope this helps - and I'm interest to hear more perspective on this...
Original Message:
Sent: 06-16-2020 09:44 AM
From: Mark Ewert
Subject: Oversight & Monitoring Vendors with Access to your Environment

If you have a vendor identified as Critical solely because of their access to your environment (physical or logical), what do you review as part of your ongoing oversight and monitoring of that vendor?

Do you have a form or questionnaire the relationship manager must complete to track the oversight and monitoring? If you do, will you share it with me?

Thank you for the response. I agree with internal Information Security's responsibility along with having the proper network security and monitoring tools in place. 

I could see the relationship manager being responsible for monitoring contractual obligations such as timely notification of staff changes to remove user rights, etc. Outside of that I'm drawing a blank on other things the relationship manager could/should look at..
Original Message:
Sent: 06-17-2020 12:27 PM
From: Anonymous Member
Subject: Oversight & Monitoring Vendors with Access to your Environment

This message was posted by a user wishing to remain anonymous

Hi Mark. I wonder if it makes sense to consider a vendor critical just based on their network access? My understanding is that a critical vendor is one that you can't go without. Whereas a vendor with physical or logical access would be considered a high risk. 

Either way, I believe that the best mechanism for ongoing monitoring of such vendors would fall under information security. There should be security monitoring in place on the network at all times. As for the relationship managers' involvement, depending on how you're setup, I would say they're mostly in charge of any SLAs that are in place, which doesn't directly tie to the network risk, but it's important. Also, if we're talking about physical access like personnel inside your doors, keeping track of HR policies, personnel changes and background checks is important. 

Ongoing monitoring sometimes is also just making sure the company stays in good standing financially and from a security perspective. Once you start requiring a checklist, that's more like a "point in time" assessment or periodic review. When I think of ongoing, I think "fluid". Hope this helps - and I'm interest to hear more perspective on this...
Original Message:
Sent: 06-16-2020 09:44 AM
From: Mark Ewert
Subject: Oversight & Monitoring Vendors with Access to your Environment

If you have a vendor identified as Critical solely because of their access to your environment (physical or logical), what do you review as part of your ongoing oversight and monitoring of that vendor?

Do you have a form or questionnaire the relationship manager must complete to track the oversight and monitoring? If you do, will you share it with me?