Latest Discussions

  • This message was posted by a user wishing to remain anonymous Hello everyone. I am working on our policy/procedure documentation review, and I am adding a section to cover what we consider to be in and out of scope for our program. I have been looking ...

    1 person likes this.
  • Posted in: Regulations

    Great question! Implementing Executive Order 14117 in Third-Party Risk Management Programs Executive Order 14117 introduces specific national security risks related to data-sharing with foreign adversaries that extend beyond the basic sensitive ...

  • Posted in: Contract Management

    Agree with others posting here. Whatever artifacts you need to clearly understand the product/service, terms of the product/service contract (even if it is a click-through agreement, try to get a download) and any other relevant information. I've had ...

  • Posted in: Contract Management

    My thoughts are that whatever is uploaded as a 'contract' is for your benefit so use it as it meets your needs. If we do not have a contract or some sort of an agreement, we will upload a quote or an invoice or even a screen shot of the purchase just ...

  • Posted in: Contract Management

    You ask a good question, and I don't believe you are overthinking things. I have been in the same situation and understand completely. I will add the invoice, contract, agreement, subscription invoice etc. to Venminder and I will either change the Term ...

  • Posted in: Contract Management

    This message was posted by a user wishing to remain anonymous Hello, all. I search the discussion board but did not find a post that seemed to apply to by question. I would like some insights on what if any documents should be uploaded into Venminder ...

    1 person likes this.
  • I am working on developing a risk register for both new and existing solutions. Would anyone be able to share a template that I could use? Thanks.

    2 people like this.
  • Posted in: Reporting

    This is great information! Does anyone have a Crisis Communications template or procedure they would be willing to share? We are looking to revise ours and compare it to others to find the cracks. Always open to new ideas. ------------------------------ ...

    1 person likes this.
  • Happy to weigh in as a SME, but I would love to hear everyone else's thoughts as well. Reviewing a SOC 2 report for vendors in the Infrastructure tier as part of your annual due diligence provides several critical benefits, even though these vendors may ...

    1 person likes this.
  • Posted in: Reporting

    Newer to TPRM and privacy. Does anyone have recommendations on sites or Twitter pages to follow for updates on privacy or TPRM regulations or important news?

  • Posted in: Regulations

    Hello! There is a new rule finalized earlier this month, attaching the link below. Do you see this rule impacting your TPRM program? If so, how do you plan to address it in the risk review process? https://therecord.media/biden-admin-finalizes-rule-to-block-sale-of-bulk-data-to-adversaries ...

  • Profile Picture

    Ongoing Monitoring for vendors holding PII

    This message was posted by a user wishing to remain anonymous For your vendors that host customer data, any best practices you utilize for ongoing monitoring aside of annual SOC reviews and annual key document review/collection? As an example, sending ...

  • Profile Picture

    RE: Inquiry on Enterprise Licensing Management

    Posted in: Contract Management

    This message was posted by a user wishing to remain anonymous In our organisation, the Procurement department is responsible for obtaining all licences. The IT Service Desk is responsible for issuing and maintaining (CMDB) them. The IT GRC function ...

  • Posted in: Contract Management

    Re: I am reaching out to gain insight into how other organizations manage enterprise licensing for commonly used tools. For enterprise licensing to work optimally you need a couple of key data points. CMDB that is up to date with a detailed listing ...

  • Profile Picture

    RE: FedRAMP

    My opinion would be to accept FedRAMP certification as an alternative to a SOC report for performing due diligence on an organization's IT infrastructure. FedRAMP audits are more specific and in depth than SOC reports which can be adjusted by the organization ...

  • Posted in: Contract Management

    Hi All, I hope this message finds you well. I am reaching out to gain insight into how other organizations manage enterprise licensing for commonly used tools. Specifically, I am interested in understanding whether your organization has a dedicated ...

  • Profile Picture

    Infrastructure Vendors

    This message was posted by a user wishing to remain anonymous Hello, We are currently updating our vendor due diligence packages. With your Infrastructure vendors, do you ask for a SOC 2? Why or why not?

  • Posted in: Risk Assessments

    We have Zoho (the vendor we use for project management) and BMC (the vendor we use for the IT help desk) at low inherent risk scores.

  • Profile Picture

    Cloud Hosted Ticketing System

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous We currently have an in-house IT ticketing system that we want to replace with the Zoho application Service Desk Plus. Like most ticketing systems, there is always a chance that an employee ...

  • Profile Picture

    RE: NPI

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous Thank you very much for your input