Latest Discussions

Without a multi-party NDA, we would address as you did, Greg, and provide general details about our TPRM program, including what we collect and evaluate. In cases where 4th party suppliers have online trust center pages and security white papers, I'd ...

We begin with responding to the customers' TPRM questionnaire, which should include details about our TPRM program. If they still request access to 4th party DD materials, we advise them that these are only available through Multi-party NDAs. Very ...

This message was posted by a user wishing to remain anonymous I see several conversations here about 4th party/nth party due diligence, but I'm wondering how most people are handling one of your vendors coming to you to request 4th party due diligence, ...

In terms of when BCP review would be triggered, first and foremost look to your Critical Vendors where the potential impact to you is the highest following vendor disruption. This review should be annual to ensure BC is not just in place, but continuously ...

This message was posted by a user wishing to remain anonymous Hi All, I'm in the financial services industry and am drafting our TPRM risk appetite statements. I've designed our approach so that it is very binary (go/no-go) pre-onboarding for new ...

Hi Nicole, Generally, on-site visits serve two purposes. The first is to observe specific controls, such as physical security, information protection, or worker safety. Vendor site visits are also useful for reviewing documentation that the vendor was ...

When it comes to vendors, sometimes we can get distracted by trying to customize our TPRM approach to the product or service types. But this should not be necessary as your standardized processes for identifying, assessing, and managing risks should help ...

While you asked a simple question, the answer can sometimes be more complex. And while I can't specifically tell you how to define these types of vendors (that is up to your organization), I can tell you what you need to consider in these situations. ...

As good practice you should be reviewing your supplier segmentation annually and hopefully this way you'll pick up on increased levels of spend or service scope creep. Alternatively get yourself on the sign-off for Statements of Work!! ------------------------------ ...

Eric, In these instances, re-negotiating the MSA or terms as new SOWs are being reviewed by Legal and negotiated would be a good start. Older agreements may not have some of the basic privacy, data protection, insurance, right to audit, and other provisions ...

Hi Eric, We periodically add new products or services that are provided by our existing vendors. If we haven't vetted the vendor in recent months (depending on their risk level), or if there are separate documents for the new product or service, ...

Hello all! I'm reaching out to this group to solicit feedback, best practices, or lessons learned related to potential risk exposure associated with ever expanding relationships with third parties and how other organizations may address aspects of this ...

Hi TPRM Friends! I was wondering if anyone could point me in the right direction for an onsite visit checklist? Looking for a list of high-level controls to assure we're checking the right things when visiting a prospective vendor. Thank you! Ni ...

Hi Looking to see how others might have incorporated Building architects/environmental site assessors (phase I/II assessments) into their 3rd party framework? If they are considered in scope, how are they being managed, and what type of due diligence ...

This message was posted by a user wishing to remain anonymous What standard do folks use for determining when to conduct a BCP review of a vendor as part of due diligence?

Regarding Isabel's comment on privacy addenda... If your company has global operations which include the EU states, your legal / contracting teams would be best advised to have the vendor sign a Data Processing Addendum. For instance, Infoblox is headquartered ...

We utilize ADP for our Payroll Service. ADP provides a SOC 1 Type 2 report for Workforce Now (our portal) and a SOC 2 Type 2 Report for its Technology Center. In addition, ADP provides COIs and other great due diligence materials. We utilize Fidelity ...

This message was posted by a user wishing to remain anonymous Good Afternoon! Within your Third-Party Risk Management Program, how do you define a vendor providing a solution that is key to the infrastructure of the bank (ex. Internet, telephone, etc). ...

I forgot to mention that some of these vendors already have industry-accepted certifications. For example, most insurance providers (Anthem, The Blues, etc.) will have a HITRUST certification or other types that are comprehensive in the testing of their ...

Any benefit plan that is considered a HIPAA covered entity; 1) health plan, healthcare clearinghouse, or 3) healthcare provider is governed under the strict HIPAA standards. I would recommend that you use your Business Associate Agreement with the provider ...