Due Diligence and Ongoing Monitoring

  • 1.  Due Diligence for SaaS Providers

    This message was posted by a user wishing to remain anonymous
    Posted 07-16-2021 01:05 PM
    This message was posted by a user wishing to remain anonymous

    We outsource the TPRM function to a Managed Service Provider (similar to the services provided by Venminder) and license our TPRM software solution through them.   We do not have a direct relationship with the software vendor.  The software is a SaaS solution that uses a third party data center to process our information. Should the ITGC controls over the data center be evaluated by us or the Managed Service Provider?  If us, what would we evaluate other than SOC Reports of the data center?  If the Managed Service Provider, what type of supporting documentation should they provide as evidence of their review?


  • 2.  RE: Due Diligence for SaaS Providers

    Posted 07-20-2021 05:59 PM
    Typically, the information stored in a TPRM software does not include the highest level of sensitive data, (at least, you should try to make sure it doesn't host any NPI or PCI). However, you are entrusted with assuring the sensitive company information you collect on your vendors is properly secured. The SaaS provider in this case would be considered your 4th party, and their data center would be your 5th. It wouldn't be unheard of to request the SOC assessment for the actual data center, but I think the best practice here would be to review your managed service provider's Vendor Management program first. See what they do to review critical vendors, then request evidence that a review was conducted. Sometimes it's okay to leave it vague and see what they provide, but if their policy gives you some information on the assessment report structure, feel free to get more specific. If they're a TPRM service provider, I would hope that they have collected and assessed the data center and possibly the SaaS provider's SOC report and related data. Does this help provide clarification? Is there anyone else that would like to share an alternative method/opinion? 



  • 3.  RE: Due Diligence for SaaS Providers

    This message was posted by a user wishing to remain anonymous
    Posted 07-22-2021 08:30 AM
    This message was posted by a user wishing to remain anonymous

    This was very helpful - Thanks!