Risk Assessments

My organization is very complex and there are many subsequent processes that kick-off through submitting a third party request to our TPRM program.  One domain that utilizes our vendor questionnaire is Enterprise Architecture.  They try to capture information from the vendor regarding the architecture of the product/service and how it will fit into the environment.  

Are other organizations doing the same thing?  If you are, what risks from an architecture lens would be a showstopper to not doing business with a third party?

Yes, my organization also includes architectural review in our third-party risk management program. We created an additional questionnaire in our GRC tool which can be sent out to vendors upon request of our architects. There are several technical scoping questions related to functionality which are similar to the questions we already ask in our TPRM questionnaire (based upon a SIG Lite).

I don't believe that failing one architecture question would be grounds for scratching a vendor from consideration, but some key items we look for are:
> Prefer SaaS solutions
> If SaaS, need SOC 2 Type II and most recent third party pen test
> Must support SSO using SAML
> Must disclose where data is processed / stored / accessed from (for GDPR)
> Evaluate what APIs are supported (several questions)
> Can we export access logs to our SEIM
> Do they support High Availability / have appropriate DR
> What are the SLAs


------------------------------
Kate Wakefield, CISSP / CIPT / CRISC
Sr. Mgr. Security Compliance
------------------------------