Matthew Mauldin, ARM, CRVPM - Risk Management Specialist
So long as you aren't broadcasting or storing NPI with these social media outlets, I don't see much need to do much Due Diligence on them.
The content is intended to be public.
If Vimeo or YouTube vanished tomorrow, your business would, I suspect continue just fine.
I suppose, to satisfy questions, run them through a regular Due diligence questionnaire like you would a new vendor and see what rating they come up with.
The only risk I forsee there, unless you signed on for a high $$ contract with them, is reputational risk.
That's not really enough to do more than the initial review, note that you did it, and put it into a pigeonhole at the lowest tier your policy allows [assuming it comes up that way].
This is, in my mind, similar to risk rating a rate sheet that is available in the bank branch lobby- it has information on it, but it is publicly available, and so has minimal risk.
Or, what do you risk rate the local radio station or newspaper or billboard advertisers? These are essentially the same bucket, I believe. Treat YouTube the same way.
David Howe, CCUFC
Chief Information Officer