Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Does any have a questionnaire for their Vendor Owners for new products/processe/software?

    Posted 05-02-2024 06:28 AM

    Hi all,

    I am struggling a bit with not having enough information from vendor owners when completing vendor reviews.  While we have a Product Risk Assessment process, more often than not it does not get filled out in certain areas.  I hear "Well it is not really a risk" but I say how do you know if it was not completed?

    Anyway,  I am wondering if anyone has a document created that has questions for the vendor owners that provides detailed information for the vendor manager to know what exactly this vendor does or is going to do for us.  Generally, I just get a one sentence email stating they want this vendor.  I then have to keep dig deeper to find out: What are their services?  What information will they have access to? etc. 

    I am wanting something that no matter what vendor it is, this form needs filled out regardless of risk. Does anyone have something similar by chance?

    Thank you.

    Kelli 



  • 2.  RE: Does any have a questionnaire for their Vendor Owners for new products/processe/software?

    Posted 05-02-2024 07:29 AM

    This is the text in our Inherent Risk Questionnaire guide detailing what should be in a service description:

     

     

    This field should contain a detailed description of the service being performed (it should not be just a few short words – complete this as if the person reading it has no awareness of the project or Line of Business it is supporting). This SHOULD NOT be a copy/paste from the third party's website. Examples of information to include in the service description (if/when applicable) include the following:

    · Third Party Name

    · Third Party Parent Name

    · Tool/ Application, Service or Product Name (Example: Microsoft Office)

    · Explanation of the service provided

    · What types of customers (internal or external) will the service support?

    · What internal line of business(es) and/or business process(es) will this third-party product or service support? Does the service support lines of business outside of where the service is owned? (For Example: Is the application or product owned in IT but supports Commercial or Consumer)

    · Do not use acronyms and limit use of technical terms not widely understood

     

     

    Thanks,

    Eric


    This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.



    Original Message


  • 3.  RE: Does any have a questionnaire for their Vendor Owners for new products/processe/software?

    Posted 05-02-2024 08:15 AM

    Eric,

     

    This is very helpful. Thank you.

     
    Kelli Shoup | Technology Support Lead/Information Security Specialist

    The Farmers Bank




    Original Message


  • 4.  RE: Does any have a questionnaire for their Vendor Owners for new products/processe/software?

    This message was posted by a user wishing to remain anonymous
    Posted 05-02-2024 11:05 AM
    This message was posted by a user wishing to remain anonymous

    Is everyone developing AI test scripts for their third party programs?

    Just curious the scope and what frameworks you look to for their development?


    Original Message