This message was posted by a user wishing to remain anonymous
Hi All in the Community,
I'm reaching out for help as I have not had to deal with this type of situation before. I am new to vendor management and I am unsure on how to proceed with a certain 4th party vendor.
Our vendor is the Maine Revenue Service and in Venminder I have made them exempt from oversight tasks. It is a requirement that we report to their 3rd party, our 4th party, Informatix, Inc. for the Data Match Program. I have reached out and talked with a representative from Informatix and he sent me this reply-
"Please keep in mind that Informatix is not a vendor of your institution, but rather the State of Maine Department of Revenue. That State and any other applicable States performs Due Diligence when selecting Informatix as their vendor. Informatix, by policy, does not disclose its' proprietary application/infrastructure design or system processes unless required by contractual obligation with our State clients. Informatix understands our clients need to ensure data security and we have systems/policies/procedures in place to meet each States' requirements. We have an outstanding track record of providing data and physical security, which is routinely tested by our internal security reviews, State security walkthroughs, and SOC 1 Type 1 and IRS audits where applicable. Informatix has never had a security breach."
"Our SOC 1 Type 1 outlines our services, our procedures and it shows that we meet or exceed our carefully developed service plan. As a privately held company and the fact that we are not a vendor for your institution, we are not able to provide financial statements or insurance certificates."
Currently I have Informatix listed as a vendor with it's own profile and marked them as a 4th party.
Should Informatix be listed in the Maine profile as a product?
How would you list this vendor in Venminder and how would you handle the due diligence and risk assessments?
Thank you in advance for your much needed help!