It's a rare scenario, but you definitely need the Board approval and respective business desk approvals. Then you need to identify all data connections (should have been identified at onboarding), make sure your access management terminates all digital and physical access, and make sure the vendor provides an email confirmation that your confidential data has been destroyed. If they shared it with subcontractors, which is likely the case for criticals, I would get a confirmation that those parties destroyed it too, just because it is likely to be scrutinized.
Original Message:
Sent: 07-15-2020 09:59 AM
From: Jayne Suess
Subject: Third Party Offboarding
How do you handle offboarding of third parties where the third party inherent risk is Critical (e.g. millions of records with restricted data included)?
Thanks,
Dr. Jayne