Due Diligence and Ongoing Monitoring

Hi all,

After conducting research and reviewing several industry articles, I wanted to seek input from this group regarding how similar situations are managed within your TPRM programs.

We have encountered instances where vendors initially classified as "low risk" were later found to have access to proprietary information, such as internal training materials. Based on best practices, these vendors may warrant a higher risk classification. I am interested in learning how your programs address this scenario and what criteria you apply for categorization.

For example, one case involved a subscription purchased via credit card without a formal contract, NDA, or any due diligence performed.

Thank you in advance for sharing your insights and experiences.

So, from a policy standpoint, this sort of activity (the unauthorized onboarding) might fall into a number of violations, all depending on how you have your Acceptable Use and other policies/standards defined.  In this case, the process of calling this out might be part of your security operations and work according the procedures you might have already.  But this certainly is reactive approach, and doesn't do anything to prevent it from happening in the future. I think there's a deeper issue around procurement and other security checks if this vendor was allowed to access sensitive assets, be that data or other infrastructure, that might also need to be addressed.   

In our case, with a former employer this had occurred often, and was addressed via investigation into specifics around the instances and bringing this into our risk register to allow cross-team, multiple stakeholders all get a view on the risk and impact this has on security. 

Just some initial thoughts, I'm happy to elaborate more and address any follow-ups, if you have them.