Due Diligence and Ongoing Monitoring

Hello all - 

Still quite new to TPRM and I'm completely unsure in my approach to resellers. 

1. In your vendor inventory, do you list each software separately, or do you list the software used under the reseller's name?
   1. If you list it separately, how do you categorise their criticality? I feel like listing them separately messes up reporting.
2. Do you review both the reseller AND the software? 

This message was posted by a user wishing to remain anonymous

We track resellers and software vendors separately.  Each are rated according to the associated risk.  Resellers are typically considered low risk, unless they are also providing services, confidential data has been shared as part of the relationship, or there are only a few resellers of the software.  We may note what reseller is used to purchase a particular product, but that is just for internal tracking.

Individual software products would be tracked under the software company to ensure adequate rating for the vendor.  One software company may have 3 software products tracked, each with different risk levels.  The vendor would ultimately be rated at the highest rating among those products.

In our organisation, we track resellers and software vendors separately. However, we assess each based on their associated risks using a risk-based approach, which then determines the level of due diligence required

This message was posted by a user wishing to remain anonymous

Which company do you perform the due diligence on, the reseller or the software vendor?  If it is the software vendor, how do you go about getting the due diligence if you are not contracting or buying directly from them?   Thank you for any information you can share.

Heather,

This is a common source of confusion, as you need to determine whether you should just track and rank the contract holder (the reseller) or whether you should try to track and rank the end products that you are receiving (that you do not have a contract with). Before you sign any contract with a reseller, ensure that there is a method for you to obtain initial and ongoing due diligence for the end products you are receiving and ensure that it is documented within your contract. This request may need to go through the reseller or the reseller may need to work with the product admins so that you can contact them directly. If you inherit signed contracts, go back to the reseller to work this out. You do need to track/list the reseller in your vendor/supplier inventory. But as others have noted, if they cease operations tomorrow, you should already have a "backup" reseller that you can contract with, so the reseller itself will not usually be a high-risk vendor. As an example, the TPRM program that I manage uses Microsoft Azure and Microsoft 365 - both from Microsoft. We purchase Azure services and have a contract through a reseller for Azure, and through another reseller for 365 licenses (we all go where the terms are most beneficial for us). I list both resellers as low-risk (Tier 4) vendors. We check the resellers through OFAC and monitor for negative news annually - but perform no other due diligence on them. Azure is a critical (Tier 1) service, and 365 is a moderate (Tier 3) service since it is hosted in our environment. Those services combined make Microsoft a Critical Tier 1 vendor for us. I reach out directly to Microsoft annually (through an online portal) to obtain due diligence on both of those products, since the resellers facilitated direct access. It seems like a lot of work up-front, - but once you have it established it is fairly routine to manage. As others have noted, you do need to know whether your resellers have access to sensitive data (other than your contract with them), since that could change your risk rating of them.