1. What ongoing due diligence is everyone collecting for Utility Vendors? Or are you just checking the box in Venminder that states "Exempt from oversight requirements" (when you added your category of phone company,etc.)I treat utility companies as "commodity" items, exempt from review.
2. Security Vendors (ie: Pelmac for camera's)? While not expecting the same level of detail I would from an organization supplying IT support, I complete reviews of companies such as security vendors through review of available documentation as well as questions about privacy and security training, confidentiality agreements between the company and their employees, use of the cloud, how they deal with security incidents, secure portal technology, background checks, etc. You can learn a lot about a company simply by the way they respond to your questions. Are they professional? Do they understand
why you're asking for information about their business and security practices?
3. Companies like Ascensus (platform for IRA's & HSA's)? It appears Ascensus is a Bank. As such, they would be subject to government oversight, SEC, etc. While I exempt these organizations from our vendor review process, you could reach out to your regulators and/or look online to see if you can access reports that may be available (ex: FFIEC IT-ROE)
Rosalie Stremple
Original Message:
Sent: 02-03-2020 08:36 AM
From: Anonymous Member
Subject: Ongoing Due Diligence
This message was posted by a user wishing to remain anonymous
I work for a Credit Union that is $2.5 Billion, we have over 300 employees and 19 branches. I'm looking for guidance from places similar in size.
I am new to Vendor Management and my department is in the beginning stages of development.
We have decided to use the Category column to group our vendor in order to make a checklist to determine what ongoing due diligence information we will collect. Which left us with a couple vendors we are unsure of what to collect.
1. What ongoing due diligence is everyone collecting for Utility Vendors? Or are you just checking the box in Venminder that states "Exempt from oversight requirements" (when you added your category of phone company,etc.)
2. Security Vendors (ie: Pelmac for camera's)?
3. Companies like Ascensus (platform for IRA's & HSA's)?
Any and all feedback is greatly appreciated.