Policy, Program and Procedures

 View Only
  • 1.  Oversight matrix

    Posted 18 days ago
    Hi - Has anyone created a matrix for oversight requirements based on criticality and risk level? I'm reviewing our vendor set-up, and there doesn't seem to be consistency across the board. For example, some critical high-risk vendors have been set up to require cyber security reviews, incident responses, privacy policies, etc. but others have not. Same with non-critical, low-risk vendors -- some are set up to only require a W-9 and maybe insurance certificates, but others have more requirements added. Of course, if a vendor has access to customer data, more requirements are necessary. I'm working on creating a matrix but thought I'd reach out to see if anyone else has set up something similar.​​


  • 2.  RE: Oversight matrix

    This message was posted by a user wishing to remain anonymous
    Posted 14 days ago
    -------------------------------------------
    Original Message:
    Sent: 07-29-2022 12:32 PM
    From: Colleen Byrne
    Subject: Oversight matrix

    Hi - Has anyone created a matrix for oversight requirements based on criticality and risk level? I'm reviewing our vendor set-up, and there doesn't seem to be consistency across the board. For example, some critical high-risk vendors have been set up to require cyber security reviews, incident responses, privacy policies, etc. but others have not. Same with non-critical, low-risk vendors -- some are set up to only require a W-9 and maybe insurance certificates, but others have more requirements added. Of course, if a vendor has access to customer data, more requirements are necessary. I'm working on creating a matrix but thought I'd reach out to see if anyone else has set up something similar.​​