This message was posted by a user wishing to remain anonymous
We have a customer that contracted with a third party to obtain security risk assessments from all the customer's technology vendors. We are one of their technology vendors so we just received the request. We will verify with the customer that this is a legitimate request. We have no direct relationships with this third party and we will be providing our information to them. Opinions from this group on whether we should obtain a NDA with the 3rd party or what other steps would people recommend we take? Is this standard in the industry to independently interact with a vendor to complete risk assessments?