Policy, Program and Procedures

Expand all | Collapse all

PCI covered in Vendor Management Policy

  • 1.  PCI covered in Vendor Management Policy

    Posted 11-04-2021 01:00 PM
    Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

    Thanks


  • 2.  RE: PCI covered in Vendor Management Policy

    Posted 11-04-2021 01:34 PM
    Brian ... PCI is addressed in our Information Technology Network Security Policy, not our vendor management policy. If PCI is involved with a vendor it is covered in our contract language.

    ------------------------------
    Susan Czarnowski
    Director of Business Continuity
    Arizona Federal Credit Union
    ------------------------------



  • 3.  RE: PCI covered in Vendor Management Policy

    Posted 29 days ago
    GM Susan

    Agree with Brian.  The VRMO policy, like most policies should be specifically vague.  For example,  "SMEs are required to perform Due Diligence activities commensurate to the Inherent Risk Rating using industry standards, such as ...."

    The actual standards used under specific situations and the processes followed are at the SME level - that is in this case for the InfoSec Team policy, procedures and standards

    If any Policy is that specific re calling out a particular standard, you would be updating policies much more often than you should be,  I think, in general,  it would start to become more complex and prone to error re keeping policies, high level docs, inline with changing standards

    happy to chat further

    Regards


  • 4.  RE: PCI covered in Vendor Management Policy

    Posted 30 days ago
    We don't include as a requirement in our TPRM Policy however procedurally we do request a copy of the certification as part of initial and ongoing due diligence and will also validate status

    Visa Global Registry of Service Providers - Search Results

    Thanks,
    Shelly

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------



  • 5.  RE: PCI covered in Vendor Management Policy

    Posted 29 days ago
    HI Brian,

    I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

    Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

    I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

    An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

    Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.


  • 6.  RE: PCI covered in Vendor Management Policy

    Posted 27 days ago
    Gee Catherine,

    I would like to see your method. This has been like trying to nail jello to a tree. 

    Thanks!!


  • 7.  RE: PCI covered in Vendor Management Policy

    Posted 27 days ago
    Catherine, would you mind sharing that methodology with me as well?


  • 8.  RE: PCI covered in Vendor Management Policy

    Posted 27 days ago
    Catherine,

    I'd really appreciate anything additional you are willing to share on your processes!


  • 9.  RE: PCI covered in Vendor Management Policy

    Posted 26 days ago
    Hi, you are welcome to my diagram. I have called it a management system but really it is just the list of document types.
    The image (deliver compliant services) is a visual representation of how the bits fit together to produce a capability and a service (e.g., the service could be vendor management). 
    Feel free to use it and to contact me if you want to discuss any of it. 
    Run wild and free

    Attachment(s)



  • 10.  RE: PCI covered in Vendor Management Policy

    Posted 26 days ago
    Thank you for sharing this, Catherine!

    -Mark


  • 11.  RE: PCI covered in Vendor Management Policy

    Posted 26 days ago
    I would love to see your diagram if you are willing to share with me as well. I love seeing what others use!

    ------------------------------
    Sheila Freyou

    Director, Vendor Management
    Celebrity Home Loans, LLC
    ------------------------------



  • 12.  RE: PCI covered in Vendor Management Policy

    Posted 25 days ago
    Feel free to use any of it.
    Yell if something needs a more explanation
    CATHY KINCAID 
    This message is for the designated recipient only and may contain confidential, privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.



    Attachment(s)