Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Critical Vendor Definition & Reassessment Frequency

    This message was posted by a user wishing to remain anonymous
    Posted 20 days ago
    This message was posted by a user wishing to remain anonymous

    Hi all,

    I'm interested in how peer organizations are approaching two areas within their third-party risk programs:

    1. Critical Vendor Definition:
      How does your organization define a "critical" vendor? Are you using a formal set of criteria (e.g., services support a 0-48 hour business process)?

    2. Re‑Assessment Frequency:
      How frequently are vendors re‑assessed, particularly those deemed critical?

      • Are critical vendors reviewed annually, biennially, or based on another cadence?
      • Do you differentiate reassessment timelines by vendor tier or inherent risk (e.g., Critical = Inherently High)?
      • Are there any triggers (e.g., incidents, material changes) that drive off-cycle reassessments?

    Appreciate any insights. Thank you!



    -------------------------------------------


  • 2.  RE: Critical Vendor Definition & Reassessment Frequency

    Posted 15 days ago

    Hi,

     

    For us critical is defined as a vendor that is critical to our daily business and/or one that has a large amount of private information.  If we cannot function without them they are critical. 

     

    All critical get reviewed at least annually or sooner if significant changes happen or  an incident.  Medium vendors would be every 24 months and low are reviewed 36 months. 

     

    I hope this helps.

     

    Thanks,

     

     

    Kelli Shoup  , CISM| Tech Support Lead/Info Security Specialist

    		    
    The Farmers Bank
    9 East Clinton Street | Frankfort, IN 46041-0129
    Office: (765) 654-2619, 3145 | Mobile: (765) 252-8509
    Email: kelli.shoup@thefarmersbank.com

     






  • 3.  RE: Critical Vendor Definition & Reassessment Frequency

    Posted 15 days ago

    We define a Critical vendor as a vendor that provides services that are critical to the Bank or is a SOX vendor. Critical services may have a significant client impact that could cause material harm if the vendor fails to meet expectations or could have a significant impact on the Bank or Company's financial condition or operations. 

    We also have a "Confidential" level these are vendors that access, stores, and/or transmits confidential client, employee or company data. 

    Both are reviewed annually. 

    -------------------------------------------