Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Microsoft Due Diligence

    Posted 11-10-2021 12:50 PM
    Hello,

    I was curious how others handle Microsoft as a vendor. Outside of the SOCs provided on their website does anyone reach out to them further to collect more documents like for example any sort of cyber security documents? Trying to figure out how far to push things or if we just work with what they initially provide online.

    Has anyone had Venminder itself reach out to Microsoft to collect documents and complete a review?

    Thanks!


  • 2.  RE: Microsoft Due Diligence

    Posted 11-10-2021 03:25 PM
    When we first started our vendor management program a number of years ago, we reached out numerous times to Microsoft for additional documentation with no response at all.  We gave up and solely rely on the information they publish.


  • 3.  RE: Microsoft Due Diligence

    Posted 11-10-2021 03:33 PM

    Hi Stephanie.  We use a different vendor management program but since Microsoft is one of our Critical Vendors, we have our vendor program perform enhanced due diligence reviews for us.  

    Microsoft is one of those vendors that won't release their documentation to a 3rd party therefore the banks vendor owner had to reach out to them to obtain the information which was downloaded from their portal. 

    Below is what we request from all of our Critical Vendors: 

      • Latest SOC report (SOC 2 is preferred) or equivalent third-party audit for applicable products.
      • Gap/Bridge Letter(s) for the SOC reports
      • Information Security, Privacy, and applicable Compliance Policies (AML, PCI, NACHA, BSA, etc.)
      • Cyber/Network Security Policies with Testing Requirements and Results (i.e. Vulnerability and/or Penetration Testing)
      • Incident Response Policies with client notification protocols
      • Disaster Recovery/Business Continuity/Pandemic Plans
      • Disaster Recovery/Business Continuity Testing Results
      • Current Certificate of Insurance (e.g. General Liability, E&O, Cyber)
      • Latest Annual Financial Statement with period end date of 2020 or 2021 (audited financial statements, including two comparative years of results, with notes preferred)



  • 4.  RE: Microsoft Due Diligence

    Posted 11-10-2021 03:55 PM
    A vendor actually provided me with detailed instructions for how to access AWS documentation (SOC reports, PCI certification, etc).  It worked great for me and I was able to pull allot of documentation I needed.  The instructions are below

    CREATE ACCOUNT
    STEP 1 Go to www.aws.amazon.com and click the Create an AWS Account button
    in the top right.
    STEP 2 Complete the Create an AWS Account form and click the Continue button.
    Note: email address should NOT be associated with an account on Amazon.com.
    STEP 3 Complete the Contact Information form and click the Create Account and
    Continue button.
    STEP 4 Rather than completing the Payment Information form, navigate to
    www.aws.amazon.com and hover over the My Account menu and click on
    the AWS Management Console option.
    SIGN IN
    STEP 1 Enter your username and click the Next button. (Root user)
    STEP 2 Enter your password and click the Sign In button.
    REQUEST REPORT
    STEP 1 In the AWS Management Console search 'Artifact' or 'Compliance Reports' in
    the AWS services box. 
    STEP 2 Find the report you're looking for by scrolling through the results list. Once you find
    the report, click the Get this Artifact button.
    STEP 3 If Approval required dialog box appears, click the Open a request for access to this report link

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------



  • 5.  RE: Microsoft Due Diligence

    This message was posted by a user wishing to remain anonymous
    Posted 11-10-2021 03:37 PM
    This message was posted by a user wishing to remain anonymous

    Have tried several times to obtain more information from Microsoft and received nothing back. However, I still don't stop trying as it least my efforts provide documentary evidence that an attempt was made.