Latest Discussions

This message was posted by a user wishing to remain anonymous First, I'm not sure what you mean by "level classification," but I do empathize with the struggle that comes with trying to treat contracts with government entities like any other. Unfortunately, ...

Yes, I'd request as much information as reasonably available. Certainly, all of the things like a reputation risk check, history of data breaches, articles of incorporation all come to mind - additionally, I'd request copies of their business continuity ...

We are reevaluating our vendors level classification and I would to know how are other agencies treating federal government entities like Fanny Mae, VA, or your State Housing authorities. These are agencies that store and process our customer's NPI and ...

I'm curious as to what even defines "smaller vendors" in your world? Are you referring to yearly spend and if so, would you mind sharing what that amount is? We use $5,000 as our first threshold. Thanks, Bob Sent from my Verizon, ...

This message was posted by a user wishing to remain anonymous ​​We use a questionnaire with close to 100 for our security risk assessments. Its quite an exhaustive list for our smaller vendors. Some of our critical vendors are 5 men shops and don't ...

This message was posted by a user wishing to remain anonymous I have a vendor hosting an application in the cloud and due to the "shared cloud responsibility", I'm wondering if requiring reports (i.e. output of trusted advisor, is IAM used?, cloudtrail ...

Hello Mark and welcome to the wonderful world of Vendor Management! I'll try to answer your questions with our practices below: We are early in our formal Vendor Risk Management process. As we roll out our ongoing vendor oversight and monitoring ...

Hi! We have a process in place which is similar to what you describe. For document reviews, such as SOC reports, and information security items, we partnered with various stakeholders (like internal audit, information security) to identify thresholds ...

Hello! We do have a vendor management policy and standard which provide guidelines for when the RFI/RFP process should be used. There are a variety of factors which could trigger the RFP process, such as overall cost (select a threshold, for example ...

We are early in our formal Vendor Risk Management process. As we roll out our ongoing vendor oversight and monitoring tasks we will request specific reports be provided from our critical ranked vendors. The report requests will vary based on the which ...

I am formalizing Penn National Insurance's Vendor Management policy. I was asked to add guidelines around when an RFP (Request for Proposal) should or should not be used. Does your organization have a formal vendor management policy or vendor selection ...

This message was posted by a user wishing to remain anonymous Following- We are also trying develop a similar question/questions for our questionnaire.

This message was posted by a user wishing to remain anonymous I'm curious if anyone has any due diligence questions regarding IP Whitelisting that they ask their third party vendors. If you do, please share, your questions or any other thoughts about ...

​Agreed - the waters can be very murky. When working with my internal vendor owners, I often use an example of buying sneakers. I can purchase Nike sneakers from Macys or Foot Locker. In most cases Macys and/or Foot Locker are just delivering the ...

​I would also like to receive your spreadsheet of the standard items to request from low risk vendors. Thank you.

This message was posted by a user wishing to remain anonymous We use a qualitative risk model to support our Vendor Management Program (VMP) today. There are various benefits to this but we are considering the use of a quantitative model as well to ...

This is a tough one, and in the various times I've encountered this issue, I think the results and outcome have all been different. The trickiest parts are figuring out if the SaaS vendors are willing to work with you directly and also how you track the ...

We are working on beefing up our enterprise level risk management. That includes working on risk assessing ACTIVITIES versus just the vendor/product. Does anybody else assess risk at an activity level with an actual answered assessment?

Thank you very much. This is very helpful.

Good question. Non-bank lenders seem to have this problem because secondary market investors, brokers, dealers, et al can all easily be replaced with one phone call. I've had some success in the past using a very short due diligence questionnaire. ...