Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Telecom Companies

    This message was posted by a user wishing to remain anonymous
    Posted 07-19-2023 02:53 PM
    This message was posted by a user wishing to remain anonymous

    How do you go about tiering your telecom Third-Party's and how do you decide what level of "access" they have? For instance... Let's say you have a web based meeting (video/voice) Third-Party service provider. Do you consider their ability to view or monitor said meetings a risk? What if you were sharing a screen during it with confidential data? Assuming the Third-Party has privacy policies/procedures that state they won't view meetings is that enough to reduce the risk and in turn the tier levels?



  • 2.  RE: Telecom Companies

    Posted 07-20-2023 11:05 AM

     

    General Telecom - bandwidth or telephony providers are eligible for Lowest tier, least risk waiver from the long form DD Process. Waiver is subject to TPRM Committee review.

    • We control end-to-end encryption of all bandwidth
    • InfoSec & Cyber are represented in the review committee - requires unanimous approval.

     

    Zoom, Teams, Webex, etc.

    • Not wavered in our program today.
    • Probably not eligible for the waiver and still subject to committee review (veto).
    • We have limited control over encryption, storage of recordings, data destruction, etc.

     

     

     

    Thanks.

     

    Greg Schmeisser

    Corporate Contract & Procurement Director



    Original Message