Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Microsoft and similar vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-18-2023 11:01 AM
    This message was posted by a user wishing to remain anonymous

    Good morning.  Question for other financial institutions.  For your due diligence and ongoing monitoring reviews, what are you asking larger companies like Microsoft that run your systems but are potentially processing PII?  Where do you create the line between service providers like Microsoft and your other SaaS service providers, if you do?  



  • 2.  RE: Microsoft and similar vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-18-2023 11:28 AM
    This message was posted by a user wishing to remain anonymous

    For critical vendors, we have quarterly meetings with the vendor's service/product/account management team to basically inquire of anything that may affect our account, PII, service level agreements, etc.  In these meetings, for instance, we ask about any control failures in their current SSAE 16 testing in progress, changes in APIs or upgrades, security protocol changes, how they were affected, if any, on malware that is currently circulating, etc.  In our case, we would not be meeting with the Microsoft product team but with their cloud services team.




  • 3.  RE: Microsoft and similar vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-21-2023 08:08 AM
    This message was posted by a user wishing to remain anonymous

    A prior response stating, effectively, that they would be meeting with Microsoft's cloud provider....is textbook perfect. 

    Caveat: Your company either: a) has to be really big to get that meeting or b) there's a statutory requirement for MSFT to do so. Otherwise that meeting isn't happening.