Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Mitigating controls for lack of data retention/classification/destruction policy

    This message was posted by a user wishing to remain anonymous
    Posted 04-10-2024 10:48 AM
    This message was posted by a user wishing to remain anonymous

    During my due diligence on a low risk vendor, I was informed that they do not have a data retention/destruction/classification policy. What are the potential risks and how can I best mitigate those risks? I was thinking that they would have data scattered all throughout their systems that has been there since the beginning without knowing if it's confidential or not so there's no data management of any kind.

    Any input is appreciated,

    Thanks.



  • 2.  RE: Mitigating controls for lack of data retention/classification/destruction policy

    This message was posted by a user wishing to remain anonymous
    Posted 04-11-2024 07:31 AM
    This message was posted by a user wishing to remain anonymous

    Before looking at mitigation, you need to some additional digging. 

    • Do they know where your data is?
    • How is being secured?
    • Can they provide any details about the age of the data?
    • Does their agreement require them to meet any retention, classification or destruction levels?

    I would look at your standards and see if you can amend their agreement to meet them. You can always tell them your requirements and ask them to follow them.




  • 3.  RE: Mitigating controls for lack of data retention/classification/destruction policy

    This message was posted by a user wishing to remain anonymous
    Posted 04-11-2024 02:41 PM
    This message was posted by a user wishing to remain anonymous

    The product we're receiving from the vendor doesn't interface with our network and there is no data transfer. The vendor won't have any of our data, this is more on the vendor level, not the product level.


    Original Message