This message was posted by a user wishing to remain anonymous
For critical vendors, it's important, first and foremost, to make sure the contract requires them to notify you of any sub-service providers that are essential to the services they are providing you. This would mean their data center (more than likely), and any other 4th party which has access to your data or is in some how critical to your operations. Furthermore it is important to have a right to audit. Aside from that, see if you can get your critical vendor to provide that information either way, and also validation that they've conducted their due diligence on those 4th parties. I would usually ask for evidence of their assessment, what the results were, and I would also review my critical vendors' third party risk policy to assure they have the proper controls and capabilities in place for those assessments.
Just a word of advice, it's always been helpful for me to go about this with a "let's help each other out" mentality. It's one thing do make demands, and another to explain why you have to make sure your company is safe by understanding all the risk areas, and making improvements wherever possible.
Certainly open to more feedback - any other tips for 4th parties of our critical vendors?
Original Message:
Sent: 07-16-2020 08:01 AM
From: Christy Jones
Subject: 4th Party Vendors
What is your plan for 4th party vendors on a critical vendor?