Risk Assessments

 View Only
  • 1.  Manufacturer Information Security Risk Assessments

    This message was posted by a user wishing to remain anonymous
    Posted 09-26-2023 12:04 PM
    This message was posted by a user wishing to remain anonymous

    We are looking at redoing our criteria for when and how we do 3rd party risk assessments from an Information Security perspective.  The standard items such as those with sensitive data will always top the list for requiring an assessment but wondering what other companies are looking at that are in the manufacturing industry.  If you are comfortable sharing a doc with your critria and questions on the assessment that would be great as well!



  • 2.  RE: Manufacturer Information Security Risk Assessments

    Posted 10-04-2023 12:29 PM
    As a manufacturer, yes cyber risk should continue to be identified as an inherent risk in order to trigger robust annual review of your vendors' controls. But there is an opportunity to dig deeper and be more targeted across this category because along with data concerns, there are operational as well. 

    Consider these as an extension to your current inherent risk evaluation:

    1. Whose data is being accessed? (e.g., employee and/or customer)
    2. What type is being accessed? (Personally Identifiable vs non-PII)?
    3. Will the vendor have access to procedures, trade secrets, intellectual property or other proprietary processes?
    4. From what locations/countries are vendors operating in?
    5. Do vendor staff have physical access to our location(s)?
    6. Does the vendors system or personnel have access to servers in any way?
    7. Will there be any integration with our network?
    8. Are fourth parties utilized to support the vendors' ability to be compliant to cyber/data privacy expectations?

    Those are my thoughts, but would love to hear what other members are doing.