Due Diligence and Ongoing Monitoring

 View Only
  • 1.  BCP/DR Alternative Documentation

    Posted 07-08-2024 11:27 AM

    Good Morning TPRM Professionals, 

    I'm curious to know what alternative documentation you use for a BCP/DR Assessment when the company does not provide their BCP or DR Plan due to Privacy?  



  • 2.  RE: BCP/DR Alternative Documentation

    Posted 07-08-2024 12:16 PM

    Hi,

    First I would get it in writing why they cannot or choose not to provide.  If they have cyber insurance, that might be a mitigating document and they should have a policy.  Are they saying they will not show you testing of the plan or the actual plan?



    ------------------------------
    Donna
    ------------------------------



  • 3.  RE: BCP/DR Alternative Documentation

    Posted 07-08-2024 01:04 PM

    When evaluating a vendor's risk for your organization, consider factors such as the Recovery Time Objective (RTO) and their access to sensitive information. For high-risk vendors, you can conduct a remote assessment focused on the specific product or service your organization relies on. During the session, request their test documentation from the last recovery test, verifying details like the test date and any encountered issues. Additionally, inquire about their backup processes related to critical services. Alternatively, you can verify BCDR processes through attested documents like SOC 2 reports or ISO 22301 certifications. Document the remote assessment or Webex session in a memo as evidence of the review. For such vendors, consider documenting adequate SLA's within the contract, specifying the due diligence documentation required at the time of review during the next renewal.

    Consider revisiting the business unit that relies on the third party. Understand their maximum tolerable downtime and the contingencies they have in place in case the vendor experiences disruptions. This understanding will inform recovery strategies within the organization.