Information Security

Good Afternoon, 

For Critical vendors does anyone collect the two documents called; GLBA Privacy Statement and Information Security Policy from your vendors annually as part of your ongoing monitoring?  Is this information found in a SOC report or BCP/DR plans or are they separate documents the vendor should provide? 

Please advise

Thank you

Yes, for critical vendors we do request for the privacy statement and info security policy. However, some organisations may not be willing to share their internal policies. For such cases, we will request a virtual sighting or fall back on the SOC report where BCP, info sec policies are reviewed etc. If any exceptions were noted, we will request for more information as necessary. 

Good Afternoon, 

For Critical vendors does anyone collect the two documents called; GLBA Privacy Statement and Information Security Policy from your vendors annually as part of your ongoing monitoring?  Is this information found in a SOC report or BCP/DR plans or are they separate documents the vendor should provide? 

Please advise

Thank you

In my experience as a vendor, we would not share internal policy documents as they are proprietary and I had them classified at a level that would require the President or Board's approval to share. I would provide the table of contents and an overview of the policy.

As a consultant I would advise my clients not to share as policies are proprietary but to create a summary document.

For privacy statements, I would point people to the privacy statement on the public facing website.

Yes, for critical vendors we do request for the privacy statement and info security policy. However, some organisations may not be willing to share their internal policies. For such cases, we will request a virtual sighting or fall back on the SOC report where BCP, info sec policies are reviewed etc. If any exceptions were noted, we will request for more information as necessary. 

Good Afternoon, 

For Critical vendors does anyone collect the two documents called; GLBA Privacy Statement and Information Security Policy from your vendors annually as part of your ongoing monitoring?  Is this information found in a SOC report or BCP/DR plans or are they separate documents the vendor should provide? 

Please advise

Thank you

In my experience as a vendor, we would not share internal policy documents as they are proprietary and I had them classified at a level that would require the President or Board's approval to share. I would provide the table of contents and an overview of the policy.

As a consultant I would advise my clients not to share as policies are proprietary but to create a summary document.

For privacy statements, I would point people to the privacy statement on the public facing website.

Yes, for critical vendors we do request for the privacy statement and info security policy. However, some organisations may not be willing to share their internal policies. For such cases, we will request a virtual sighting or fall back on the SOC report where BCP, info sec policies are reviewed etc. If any exceptions were noted, we will request for more information as necessary. 

Good Afternoon, 

For Critical vendors does anyone collect the two documents called; GLBA Privacy Statement and Information Security Policy from your vendors annually as part of your ongoing monitoring?  Is this information found in a SOC report or BCP/DR plans or are they separate documents the vendor should provide? 

Please advise

Thank you

Generally, I agree with Cheryl. If vendor won't tell our company how it handles PII, that's not a good sign.

On the other hand, the larger companies tend to have publicly available privacy statements etc. are sufficiently detailed to provide some assurance. I've found that almost all companies are willing to have a discussion about the points not covered in the publicly available documents.

Some companies are sticklers, though. I did a due diligence visit as a part of a three person team. The firm was insistent that they wouldn't talk with us. We separated their team into three groups and largely got what we needed by asking different questions of different people.

When there's a will there's a way. And, if there's not, as Cheryl said, my company, too, would pass.

In my experience as a vendor, we would not share internal policy documents as they are proprietary and I had them classified at a level that would require the President or Board's approval to share. I would provide the table of contents and an overview of the policy.

As a consultant I would advise my clients not to share as policies are proprietary but to create a summary document.

For privacy statements, I would point people to the privacy statement on the public facing website.

Yes, for critical vendors we do request for the privacy statement and info security policy. However, some organisations may not be willing to share their internal policies. For such cases, we will request a virtual sighting or fall back on the SOC report where BCP, info sec policies are reviewed etc. If any exceptions were noted, we will request for more information as necessary. 

Good Afternoon, 

For Critical vendors does anyone collect the two documents called; GLBA Privacy Statement and Information Security Policy from your vendors annually as part of your ongoing monitoring?  Is this information found in a SOC report or BCP/DR plans or are they separate documents the vendor should provide? 

Please advise

Thank you

In my experience as a vendor, we would not share internal policy documents as they are proprietary and I had them classified at a level that would require the President or Board's approval to share. I would provide the table of contents and an overview of the policy.

As a consultant I would advise my clients not to share as policies are proprietary but to create a summary document.

For privacy statements, I would point people to the privacy statement on the public facing website.

Yes, for critical vendors we do request for the privacy statement and info security policy. However, some organisations may not be willing to share their internal policies. For such cases, we will request a virtual sighting or fall back on the SOC report where BCP, info sec policies are reviewed etc. If any exceptions were noted, we will request for more information as necessary. 

Good Afternoon, 

For Critical vendors does anyone collect the two documents called; GLBA Privacy Statement and Information Security Policy from your vendors annually as part of your ongoing monitoring?  Is this information found in a SOC report or BCP/DR plans or are they separate documents the vendor should provide? 

Please advise

Thank you