This message was posted by a user wishing to remain anonymous
"We have so far gotten away with not having an overall timeline as we continuously tell the business that the time it will take depends on how quickly their vendor responds and the quality of the answers."
Exactly!
Except...some vendors won't be very responsive at all. (The law of market power: If you are the bigger, wealthier entity, you're more likely to get your way.) For example, the basic set of cloud providers will give you what they give you....and that's all you're ever going to get.
Back to the timing question, you'll also get it when those larger vendors decide to provide the information. Always a good time to interact with the internal requestor..."can't move along the process without getting the response".
Most importantly, keeping the vendor owner engaged and informed is a big part of this process. If they feel like they know what's going on, even if what's going on isn't progress, they'll at least know why.
Original Message:
Sent: 06-17-2024 09:15 AM
From: Deb Loomis
Subject: Realistic time line for onboarding
We have a "two week ball in your court" agreement with the SMEs who review assessments completed by the vendor. So the reviewer has two weeks to review, but if they send follow-up questions the clock stops and will restart when the responses are received. We have so far gotten away with not having an overall timeline as we continuously tell the business that the time it will take depends on how quickly their vendor responds and the quality of the answers.
Good luck!
***********************************************************************************************
CONFIDENTIALITY NOTICE: This e-mail and any attachments are intended only for the individual or
company to which it is addressed and may contain information which is privileged, confidential or
prohibited from disclosure. If you are not the intended recipient, you are hereby notified that
any use, dissemination, or copying of this e-mail or attachments is strictly prohibited. If you have
received this transmission in error, please return the material received to the sender and delete all
copies from your system. Thank you.
***********************************************************************************************
Original Message:
Sent: 6/14/2024 4:58:00 PM
From: AJ Galusha
Subject: Realistic time line for onboarding
Hello I am looking fore as may replies as possible so I can build a realistic SLA time line for my relationship owners.
How long do you require to clear onboarding for Critical, High and even Moderate inherent vendors . From intake questionnaire (after vendor is selected), meeting with relationship owners and SME's, initial DD request, review of DD and final rating? Does not need to include legal contract review.
Now you and I both know there are too may factors to account for but I must set expectations and I am counting on SMEs from InfoSec, compliance, ops and finance to review docs. I must allow them a full week (and really it is a bit longer) to do the reviews then I have to do another review of their reviews to do the "residual" review. What do you you think is a reasonable expectation to put in a standard and make available in trainings?
Is 30 days reasonable?
We do intake meetings once a week as there are so many people involved (infosec, PMO, legal, compliance, IT architect) and I am still just building this program so I want to set the expectation at 45 days vs the current 30.
But I would love to hear from others and their time frames. Thank you so much