Latest Discussions

We see a wide variety of strategies used to manage vendor and third party relationships. Some attempt to use one-size fits all, and others have a very complex and sometimes fully customized review process for each vendor engagement. We tend to find, however, ...

This message was posted by a user wishing to remain anonymous ​We definitely consider onsite service providers a vendor and they will go through our normal vendor risk assessment process. For consultants or temps that have access to our network, we ...

This message was posted by a user wishing to remain anonymous Physical access should definitely be considered/factored into the inherent risk score along with whether access will be accompanied or unaccompanied. Obviously, accompanied access carries ...

Hey there - An outside service provider's physical access, regardless of their service type or job function, is still factored into the inherent risk scores we apply as there can still be potential security and safety concerns if the individual(s) have ...

Unattended facility access is, in my opinion, absolutely a part of a vendor's risk profile. This is the area where the apocryphal story of the HVAC vendor hacking the network comes into play. Cleaners, maintenance folk, ...

This message was posted by a user wishing to remain anonymous We have a secured campus and maintain a well established policy for vetting non-employees prior to providing them any building access. A key pass is required to use the elevator, enter staircases, ...

This message was posted by a user wishing to remain anonymous We are reevaluating the key roles within the business that support TRPM, specifically: completing internal assessments, reviewing/approving findings (potential issues). On occasion, these ...

Hi there - Below are responses and some helpful best practices to utilize in your program as it relates to managing and monitoring the risk associated with vendors with software escrow: 1) what triggers a review? (new software, RTO, Direct Impact (major ...

Hello, When it comes to a vendor's reputation, there are both objective and subjective reputation assessment methods that you can use. Starting with objective methods is always best. Objective methods include reviewing the legal and litigation history ...

We explicitly made certain types of subscription services out of scope for TPRM: magazines, periodicals and education resources. The remaining subscription services we handle as in scope and base due diligence requirements on assessed operational and ...

My advice is to put them in your Vendor Management system with some form of flag indicating they are an exception to your definition of vendor and to describe the exception. This way you have a centralized database of all vendors used by the organization. ...

We have a TPRM system for our third parties following standard ISO27001 principles. Do people use a deep framework for dealing with their strategic partners or one size fits all.

This message was posted by a user wishing to remain anonymous We keep them in our TPRM system even if they are out of scope. It shows the regulators that we are aware of all our 3rd parties and, if anyone asks if we know about a vendor, if they need ...

I think the main answer here is "it depends". If you are putting a group like retail only transactions [e.g office supplies, facilities accounts, etc.], then I would say probably not. There isn't much data exchange there, and the ...

This message was posted by a user wishing to remain anonymous If we have documented certain categories of vendors to be out of scope for TPRM, is there any reason to create a vendor record for them in our TPRM system?

Hi TPRM Colleagues - As we collectively continue to leverage 3rd parties (specifically vendors) it would be great to understand what organizations are doing to understand, assess and measure vendors' reputational risk. * What areas are included ...

This message was posted by a user wishing to remain anonymous This was very helpful - Thanks!

Typically, the information stored in a TPRM software does not include the highest level of sensitive data, (at least, you should try to make sure it doesn't host any NPI or PCI). However, you are entrusted with assuring the sensitive company information ...

how are usually monthly subscription vendor's contract's are managed ? meaning they are usually into low to medium risk and they usually don't have any contract other than signing up a monthly subscription as their services are needed. I wanted to ask ...

When defining your out of scope vendors, it's up to you and/or perhaps your particular auditor and organizational appetite on on whether or not your "paragraph" (assuming in your VRM Policy?) has more or less detail. Here is an example of a broad statement: ...