Hello,
A foreign country assessment will typically look similar to an assessment performed on a domestic vendor. For instance, both foreign and domestic vendors should undergo OFAC/PEP checks, and their hiring practices should be thoroughly assessed. You should also ask the vendor to document all locations that will support the product/service used by your organization. This can identify whether there's any concentration risk so you can review the vendor's resiliency in these locations. Reviewing these locations will also alert you to any privacy considerations, as privacy laws can vary based on jurisdiction. It's also recommended to request certain documents like SOC 2 or ISAE 3000 reports, or evidence of compliance with ISO/IEC 27001.
In addition to the assessment and due diligence process, it's important to consider contract language with these vendors. The Interagency Guidance on Third-Party Relationships has a brief section on "Foreign-Based Third Parties" that might be helpful to review with your legal team. The guidance recommends considering "choice-of-law and jurisdictional provisions" in contracts with foreign third parties and to seek legal advice to understand "privacy laws and cross-border flow of information".
These suggestions should give you a good starting point, and I'd be interested to see the types of resources being used by other members for foreign vendors.
Original Message:
Sent: 09-19-2024 10:16 AM
From: Anonymous Member
Subject: Country Assessments
This message was posted by a user wishing to remain anonymous
Hello All,
Looking for some guidance on Foreign Country Assessments for locations your vendors are either headquartered or providing services, hosting, or accessing data from. How and what are you including in these assessments? Are you aggregating data from specific websites or utilizing a paid resource? Would love some insight on how different locations are handling this.