If you think like an auditor, criticality will override the low-risk rating. Since the internet is a critical service for your organization, you should be doing more exhaustive diligence. But, due diligence for internet providers can be a tricky business. Typically providers will not participate in your due diligence efforts. And most of these services are purchased via their standard agreement, leaving your organization no room to make demands or negotiate. Still, your organization bears the responsibility of conducting due diligence.
The question is how to get the information you need, to evidence that you took reasonable care?
Over the years, I have learned several research techniques that can assist you when no information is available directly from the vendor.
- Review the provider's web page, and look for "technical, compliance, or privacy" sections. Many providers publish information for their customers.
- Search "XYZ company GRI or SASB report." Global Reporting Index (GRI) and Sustainability Accounting Standards Board (SASB) are both organizations that set standards around ESG (environmental, social, and governance) reporting. These reports are often a treasure trove of data and provide direct links to policies, certifications, and other information that can be used to substantiate due diligence efforts
- Basic internet search "xzy company SOC2 compliance."
- Dunn and Bradstreet Reports
- Data and reporting from risk monitoring and alert services
While you may not be able to meet your standard due diligence evidence requirements, you can still demonstrate your efforts, which is always better than nothing.
Hopefully, this information was helpful, but I would love to hear from other members.
Original Message:
Sent: 06-23-2022 02:18 PM
From: Anonymous Member
Subject: Internet Provider Documents
This message was posted by a user wishing to remain anonymous
What due diligence items are you collecting from your internet providers?
We are conflicted on what we should be collecting from ours since they are basically a utility for us but are considered critical to our business. We typically only collect basic items for these types of services due to the minimal cost of them and low level of inherent risk. However, the criticality of the internet is a concern. I am curious how others handle these types of vendors.