Due Diligence and Ongoing Monitoring

 View Only
Venminder Venmonitor
Back to discussions
Expand all | Collapse all

How do other you evaluate JHA or Vendors with multiple SOC reports ?

  • 1.  How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-10-2020 06:22 PM
    Hi, I am wondering how other companies evaluate Jack Henry as a whole when they have about 10 SOC reports for each division. Do you have JHA broken down into multiple Sub vendors, according to their SOC & DR Plans testing  ? Is this in your Vendors Management policy ?

    Please advise


  • 2.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-10-2020 06:39 PM
    Hi Kouadjo, 
    We struggled with Jack Henry for a few years too, based on the size and complexity.  We finally settled on this...
    Our due diligence review is attached to the primary vendor profile, Jack Henry, regardless of how many of JH's products we might purchase (or how many 4th party vendors might apply).  We obtain and review any documents that might apply to the overarching company, like financial docs and proof of insurance.  We also obtain and review any documents that apply to the product lines we elected to purchase, like SOC reports...which means we complete SOC reviews each year for Episys, Synergy, EPS, etc.  (If they had any 4th parties, we would also review those SOC reports, etc. at this time.)  Once we have completed all the individual document reviews, we begin an overall review/risk assessment that considers all of the subparts mentioned above and knits them together into a cohesive risk picture.  
    Hope this helps! 
    Sheila
    Original Message


  • 3.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-10-2020 06:45 PM
    This helps a lot thank you. What tool do you use to perform the overall review/risk assessment ?
    Original Message


  • 4.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-10-2020 07:10 PM

    Our VM software came with a Risk Assessment tool but it didn't suit our needs so we built one of our own.  Ours is an open-ended questionnaire that focuses on the areas of risk my organization is concerned with...  strategic, compliance, operational, information security, reputational, etc.  Here is a sample of one of our questions, but I would encourage you to look at what your own organization is concerned about based on its strategic plan: 

     

    Operational Risk - If this vendor were suddenly unable to perform the services for which we hire them, how would Numerica and its members be affected?  Please consider a short-term interruption of 1 week or so, as well as a long-term interruption or sudden closure of their business.

     

     

     

    Sheila Crossley
    Legal/Compliance Specialist III
    Numerica Credit Union
    Life Moves. Live Well.™

     

    CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited if you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original message.




    Original Message


  • 5.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-10-2020 06:49 PM
    Also, how are you guys evaluating Government Agencies like Fannie Mae and others who store, process or transmit your customer confidential data ?
    Original Message


  • 6.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-10-2020 07:11 PM

    Government agencies are backed by the federal government so we've elected to waive most due diligence requirements for them.  However, companies who have access to confidential information go through a full and extensive DD review.

     

     

     

    Sheila Crossley
    Legal/Compliance Specialist III
    Numerica Credit Union

    Life Moves. Live Well.™

     

    CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited if you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original message.




    Original Message


  • 7.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    This message was posted by a user wishing to remain anonymous
    Posted 06-11-2020 08:25 AM
    This message was posted by a user wishing to remain anonymous

    ​Similar approach.  Officially inventoried as Exempt from the full program oversight, however our Information Security SMEs conduct and document a review of any available data security documentation we can gather. Like most other Exempt vendors, these are back on the radar for status review every 3 years.
    Original Message


  • 8.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-11-2020 10:10 AM
    How do you obtain fourth party SOC reports with JHA? We found out about a fourth party vendor but were not able to obtain due diligence due to not having a relationship with them. Just wondering if we weren't going about it the right way.

    Thanks!
    Original Message


  • 9.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-15-2020 05:55 PM

    Hi Denise,

    Typically we ask the third party to provide fourth party due diligence items for our review since our relationship is with the third party.

    Sheila

     

     

     

    Sheila Crossley
    Legal/Compliance Specialist III
    Numerica Credit Union
    Life Moves. Live Well.™

     

    CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited if you are not the intended recipient, please contact the sender by e-mail and destroy all copies of the original message.




    Original Message


  • 10.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-18-2020 10:40 AM
    Hi Sheila,

    Have you had luck with this with Jack Henry specifically? I am asking because that is the one vendor we found out about a fourth party they were using but had not reviewed, and attempts to obtain docs for them though JHA or the fourth party directly were unsuccessful.
    Original Message


  • 11.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-18-2020 03:32 PM
    Denise, 
    It wasn't an issue for us.  We run their software from our own servers and we confirmed that the production centers and backup/DR systems for the modules we use are self-contained with no 4th party vendors.  Every SOC 2 Type 2 we reviewed confirmed that their vendor management program appropriately monitored their vendors, and all SOC reports showed "no exceptions".  

    The 4th party we saw was involved in product development, but there were appropriate change management controls in place between the development/test environments and the final product so that was an acceptable level of separation for us.
    Original Message


  • 12.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    Posted 06-22-2020 02:19 PM
    Got it. That makes sense. Thanks for the response!
    Original Message


  • 13.  RE: How do other you evaluate JHA or Vendors with multiple SOC reports ?

    This message was posted by a user wishing to remain anonymous
    Posted 06-11-2020 08:26 AM
    This message was posted by a user wishing to remain anonymous

    ​We attempt to divide products like this into case-by-case rational groupings for review (delivery model, type of data shared, customer contact, owning Line of Business, etc. used as grouping filters).  The Vendor level details (financials etc.) are "copied" between review that occur in the same year. SOC reports or other relevant documentation is grouped into the relevant review.
    Example:  In-house & hosted services are assessed separately; Hosted with and without customer contact; ... etc.
    Original Message