This message was posted by a user wishing to remain anonymous
Our company is composed of multiple divisions and organizations that utilize the same vendors. TPRM usually takes time, and since we handle multiple engagement assessments, there are several dependencies.
Our TPRM process has two phases: Risk Profiling and the Assessment Phase.
Risk Profiling involves an intake form that must be completed internally by the stakeholders. The bottleneck usually occurs when we have to wait for each division's users to provide their engagement details-such as Data Risk, Business Risk, and Connectivity Risk. This step typically takes 10–15 days. Once we receive the intake form, it should be reviewed within 1–3 days.
For the Assessment Phase, the vendor must complete the questionnaire within 10 business days. Once submitted, InfoSec should be able to review the assessment within 2–3 business days for engagements with an audit report, and 4–10 business days for those without an audit report.
The business is requesting a documented SLA to ensure that Third-Party Security Assessment requests are processed in a timely manner.
May I ask if you can share your current TPRM SLAs based on your existing practices?
-------------------------------------------