Yes, being notified of a data sharing change would be a part of TPRM's ongoing monitoring practices. The next step would be to assess what the change is and the impacts of that change. For example, if the change includes one of the vendors processing or storing a more sensitive class of data, an updated risk assessment should be performed and additional due diligence may be required, which is where the Security team may also be consulted. This is how I would handle this scenario, but I'd like to hear how others may handle it.
Original Message:
Sent: 02-15-2023 11:07 AM
From: Anonymous Member
Subject: Vendor A integration with Vendor B
This message was posted by a user wishing to remain anonymous
I'm not sure if TPRM should be informed here or if it's more for the security team. Are vendors continuously assessed if there's a change with how the vendor is used whether that is the type of data shared with vendor A or data shared/integration between vendor A and vendor B?
I'm particularly curious if the piece about vendor A and vendor B data sharing/integration should be part of TPRM's risk assessment. Appreciate your insights