Latest Discussions

We have a questionnaire that is asked of every vendor. But for low level vendors such as facility care we base it in part on building access. Do they have a badge and are they authorized to be unescorted in the buildings? If so they are a higher level ...

The HVAC company incident was Target in 2014: https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ Kate Wakefield CISSP, CIPT, MPA Sr. Manager Security Compliance

Thank you for the insight Dave!

It's a tricky path you ask about. Technically, a vendor is anyone you pay in order to receive goods and/or services. There are high profile cases where vendors that seemed to be below the radar actually effected some spectacular data breaches, ...

Hello, When do you know if you should perform a risk assessment on a vendor? How do you know it qualifies/does not qualify as a "vendor"? It feels counterproductive to perform a risk assessment on vendors such as lawn care, snow removal, magazine ...

Yes, $2 million is the current threshold established by our risk governance committee and board of directors. This is reviewed at least annual in accordance with our organizations TPRM Policy. Rachel ​ ------------------------------ Rachel Kenyon ...

Hello Merritt, I agree with Rachel, the definition of critical may vary by organization. We separate Risk & Criticality. For us, critical is defined as a vendor that provides products or services of which any extended disruption would cause the company ...

This message was posted by a user wishing to remain anonymous ​Thanks Rachel. Is $2 million an arbitrary number that is re-visited each or why did you draw line there and not 3 or 1?

​Hello Merritt, Critical may be defined different depending on the organization. For my organization, "Critical" is any Third Party Provider that provides any service or product designated by our Systems and Technology committee as critical for continued ...

Can someone provide a general list of types of services that are always critical besides the core processor? I would think you would also have IT network service providers. Merritt Wofford, Esq Assistant Vice President ...

This message was posted by a user wishing to remain anonymous Hi Payal, Thought I don't have a list - I always refer back to my main set of inherent risk questions... For example - Does the vendor or product align with strategic goals? Does ...

Our company evaluated SecurityScorecard, Bitsight and RiskRecon two years ago and selected RiskRecon. The relationship is managed by our CISO as it is primarily for critical IT vendors and to monitor our own score. Due to our vendor oversight and monitoring ...

We are looking into three different monitoring companies: RiskRecon Supply Wisdom SecurityScorecard Would anyone be willing to share their opinions on any of these? Does anyone currently use any one of these and do you find their reports on ...

Brittany, Hi and thank you for posting this. I saw there was a January 2021 update on the FDiTech site this January 2021 -- one recommendation was using Agile and a "rapid phased prototyping" competition. More information and links is below. Larry ...

Hi All, Happy New Year! Is there a list of services outsourced by a financial institution which is out of scope for risk assessment like telephone and utility bills,statuatory and regulatory services,softwares and licenses, temp staff hiring? T ...

I was thinking of something similar as I prepare a (possibly PMI) talk regarding risk and stakeholder boundaries and gaps when looking at NIST, Mitre, TPRM, 3LOD, CMMC, AICPA/TSC, COSO, etc. While research those relationships, here's some links related ...

The FFIEC IT Examination Handbook – Business Continuity Management booklet (Nov 2019) page 45 attached to this reply provides the following guidance regarding Business Continuity Testing collaboration with Third Party Technology Service Providers: ...

Tracy, Thank you. I was following your contributions and was curious about the form. Have a great day. Larry

This message was posted by a user wishing to remain anonymous Thinking about the maturity curve of a Third Party Risk Management program, would love thoughts on what attributes both a Mature program and an Advanced program look like. I think at a high ...

I've attached our form, there really isn't much to it. It is always routed to all parties involved and if there isn't anything for an area to review, they still sign-off that there isn't anything for them to review. Internal Audit always does the final ...