Risk Assessments

Hello,

As a newer practitioner of TPRM I have a question:

We use an e-mail, web security and archiving service vendor that provides cloud computing services for filtering e-mail spam and malware. Previously it was determined that this vendor process, stores, manages or transports NPPI.  

Are we correct in concluding that this vendor has access to NPI?  If yes, what due diligence can we complete?

The vendor product is owned by a large company that does not provide due diligent documents.   

Looking forward to the communities' responses.

<w:sdt docpart="D0A669701F5941DF8853BBF69465F425" text="t" id="1173457840"></w:sdt>

Hi - My opinion is that yes, the vendor is processing and transferring NPI. Going through the due diligence process with large vendors can be difficult as you've found. As you note that they're a large provider, you could check the Cloud Security Alliance's STAR to see if they're listed ( STAR Registry | CSA ) If so, you can gather some security due diligence through that route. Another way to gather at least some information about the vendor to show due diligence was performed is by using services such as Venmonitor, Black Kite, RiskRecon, BitSight, and SecurityScorecard for cyber ratings, Argos Risk for business health, Osano for privacy, and Owlin for adverse media. Always interested in hearing how others are handling such situations!