Information Security

 View Only

  • 1.  Ongoing Monitoring for vendors holding PII

    This message was posted by a user wishing to remain anonymous
    Posted 01-07-2025 03:36 PM
    This message was posted by a user wishing to remain anonymous

    For your vendors that host customer data, any best practices you utilize for ongoing monitoring aside of annual SOC reviews and annual key document review/collection?  As an example, sending out semi-annual cyber questionnaires asking specific questions to get some assurance?  If anyone has any best practices such as these including what questions you include please share.



  • 2.  RE: Ongoing Monitoring for vendors holding PII

    Posted 02-11-2025 12:51 PM
      |   view attached

    I've attached the questionnaire we use annually.


    Original Message


  • 3.  RE: Ongoing Monitoring for vendors holding PII

    Posted 02-12-2025 08:53 AM

    If your vendor relationship hasn't changed much, start by asking what has changed in the last 12 months (or 6 months, depending on your review frequency). From there, gather any relevant control documents that support the product/service hosted with the vendor to verify those controls. That should determine if you need full-fledged due diligence or just the relevant control evidence to ensure data security and protection. 

    Other things to consider with ongoing monitoring could be daily, monthly, and quarterly checks to see how the vendor is doing.

    • Daily: Keep an eye on news for any breaches or reputational issues that might affect your service.  Acquisitions or sale etc.
    • Monthly: Do some regulatory or legal checks and cyber screenings.  You can always leverage your partners internally like Information Security Teams to see if they find anything on the dark web or breaches regarding that vendor. 
    • Quarterly: Look at their financials to see how they're performing as a company, if they're solvent, and if they can support your service and operational costs etc.   

    Also, use performance scorecards with the business owner (the team using the service in your organization). These scorecards, reviewed quarterly (or at a frequency that makes sense), can help determine if the vendor is meeting SLAs. This approach also ensures the business maintains oversight of their vendor relationship.

    This way, you get real-time monitoring instead of just relying on one-time questionnaire and updated documents.


    Original Message