Due Diligence and Ongoing Monitoring

A few factors should be considered prior to applying a due-diligence checklist:

1. It is important to identify the operating location(s) for the licensed tech during the inherent risk process. While Cloud and SaaS have clearer lines to this answer, "licensed" may be hosted via by third-party OR operated via your technology infrastructure. Some services even have co-hosting configurations. So the answer should indicate to what level of scrutiny you apply. For example, there is less value for comprehensive due-diligence for services you operate on-premise.  For this scenario, you may consider the vendors financial health and business resilience domains to look at how they will operate support, updates and patching of the tech you host and operate.  And for a fully off-premise / hosted licensed product, you would benefit from all domains (cyber, information security, business resilience, disaster recovery, incident management and operational risk)
2. The dollar amount is not an ideal distinguishing factor to determine if and how to perform due-diligence, as it is not an indicator of risk to your business.  Despite the "licensing", it should be the identified risk that should drive the scope and cadence of your due-diligence process. So,  again within your inherent risk process, it is important to identify:
   • who utilizes the licensed software within your business?
   • are these users part of critical functions/processes?
   • to what capacity does the system support them (e.g. mission critical vs occasionally)?
   • Have RTO and/or SLA been captured to provide further color to the relationship

What that in mind, please refer to our readily available Due Diligence checklists here: https://www.thirdpartythinktank.com/resources/library/due-diligence