Latest Discussions

Catch Up on the Latest Discussions
Network. Collaborate. Connect. 

This community provides a space where professionals in the industry can access third party risk management resources, and more importantly, interact with each other through discussion boards. You’re able to network, share stories, ask questions, receive feedback from others to help overcome your own challenges and more. 

Latest Discussions List

  • Posted in: Risk Assessments

    We have a questionnaire that is asked of every vendor. But for low level vendors such as facility care we base it in part on building access. Do they have a badge and are they authorized to be unescorted in the buildings? If so they are a higher level ...

  • Posted in: Risk Assessments

    The HVAC company incident was Target in 2014: https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ Kate Wakefield CISSP, CIPT, MPA Sr. Manager Security Compliance

  • Posted in: Risk Assessments

    Thank you for the insight Dave!

  • Posted in: Risk Assessments

    It's a tricky path you ask about. Technically, a vendor is anyone you pay in order to receive goods and/or services. There are high profile cases where vendors that seemed to be below the radar actually effected some spectacular data breaches, ...

  • Posted in: Risk Assessments

    Hello, When do you know if you should perform a risk assessment on a vendor? How do you know it qualifies/does not qualify as a "vendor"? It feels counterproductive to perform a risk assessment on vendors such as lawn care, snow removal, magazine ...

  • Posted in: Risk Assessments

    Yes, $2 million is the current threshold established by our risk governance committee and board of directors. This is reviewed at least annual in accordance with our organizations TPRM Policy. Rachel ​ ------------------------------ Rachel Kenyon ...

  • Posted in: Risk Assessments

    Hello Merritt, I agree with Rachel, the definition of critical may vary by organization. We separate Risk & Criticality. For us, critical is defined as a vendor that provides products or services of which any extended disruption would cause the company ...

  • Profile Picture

    RE: Risk assessment

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous ​Thanks Rachel. Is $2 million an arbitrary number that is re-visited each or why did you draw line there and not 3 or 1?

  • Posted in: Risk Assessments

    ​Hello Merritt, Critical may be defined different depending on the organization. For my organization, "Critical" is any Third Party Provider that provides any service or product designated by our Systems and Technology committee as critical for continued ...

  • Posted in: Risk Assessments

    Can someone provide a general list of types of services that are always critical besides the core processor? I would think you would also have IT network service providers. Merritt Wofford, Esq Assistant Vice President ...

  • Profile Picture

    RE: Risk assessment

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous Hi Payal, Thought I don't have a list - I always refer back to my main set of inherent risk questions... For example - Does the vendor or product align with strategic goals? Does ...

    2 people like this.
  • Our company evaluated SecurityScorecard, Bitsight and RiskRecon two years ago and selected RiskRecon. The relationship is managed by our CISO as it is primarily for critical IT vendors and to monitor our own score. Due to our vendor oversight and monitoring ...

  • We are looking into three different monitoring companies: RiskRecon Supply Wisdom SecurityScorecard Would anyone be willing to share their opinions on any of these? Does anyone currently use any one of these and do you find their reports on ...

  • Posted in: Regulations

    Brittany, Hi and thank you for posting this. I saw there was a January 2021 update on the FDiTech site this January 2021 -- one recommendation was using Agile and a "rapid phased prototyping" competition. More information and links is below. Larry ...

    1 person likes this.
  • Profile Picture

    Risk assessment

    Posted in: Risk Assessments

    Hi All, Happy New Year! Is there a list of services outsourced by a financial institution which is out of scope for risk assessment like telephone and utility bills,statuatory and regulatory services,softwares and licenses, temp staff hiring? T ...

  • I was thinking of something similar as I prepare a (possibly PMI) talk regarding risk and stakeholder boundaries and gaps when looking at NIST, Mitre, TPRM, 3LOD, CMMC, AICPA/TSC, COSO, etc. While research those relationships, here's some links related ...

  • The FFIEC IT Examination Handbook – Business Continuity Management booklet (Nov 2019) page 45 attached to this reply provides the following guidance regarding Business Continuity Testing collaboration with Third Party Technology Service Providers: ...

    2 people like this.
  • Tracy, Thank you. I was following your contributions and was curious about the form. Have a great day. Larry

  • This message was posted by a user wishing to remain anonymous Thinking about the maturity curve of a Third Party Risk Management program, would love thoughts on what attributes both a Mature program and an Advanced program look like. I think at a high ...

  • I've attached our form, there really isn't much to it. It is always routed to all parties involved and if there isn't anything for an area to review, they still sign-off that there isn't anything for them to review. Internal Audit always does the final ...

    1 person likes this.