Risk Assessments

 View Only
  • 1.  Do you perform risk assessments on software providers?

    Posted 07-10-2020 12:48 PM
    Most organizations purchase some form of software that runs on the organization's computer equipment - Windows operating system, Microsoft Office, Adobe Acrobat along with more industry or occupation specific software. Do you consider the provider of that software a vendor? If you do, how do you rank them and perform a risk assessment?

    We have a piece of software used by our actuaries. They have ranked the provider of the software critical when in fact it is the software that may be critical. It is my understanding that if the provider had a severe disruption in their business, the software would continue to run and be usable. The provider makes annual updates available, but installing the updates is optional.

    What does your organization do in this situation? Do you exclude the software providers from the risk assessment process? I would appreciate any advice you can give.


  • 2.  RE: Do you perform risk assessments on software providers?

    This message was posted by a user wishing to remain anonymous
    Posted 07-10-2020 06:03 PM
    This message was posted by a user wishing to remain anonymous

    ​I had a similar question regarding VARs (Value Added Resellers). We have a few VARs that provide various applications, software, equipment and services from other providers. We typically have some type of contract, MSA or PSA with the VAR but will only have an invoice or SOW from the provider providing the application, software, etc. We conduct our due diligence on the VAR and "park" the application, software, etc. under the VAR's portfolio as more of a "parent-child association", since we don't considered them as true 4th parties. We will do a BSA/OFAC check and i.d. the provider at a high level with a basic profile questionnaire. I was curious if anyone is doing any additional due diligence such as an inherent risk questionnaire or doc collection and how these are being handled? Thanks in advance.