Due Diligence and Ongoing Monitoring

 View Only
  • 1.  When do you worry about the CUEC's?

    This message was posted by a user wishing to remain anonymous
    Posted 12-17-2024 11:48 AM
    This message was posted by a user wishing to remain anonymous

    Hi - 

    Our department isn't resourced to go through the CUEC exercise for every third-party that provides a SOC. We are considering doing the CUEC's only for those third parties where any of the following apply: those with High inherent risk, those that are considered Critical, those with access to sensitive data. 

    Would anyone else care to share how they make the decision about when to worry about the CUECs? And for clarity...when I say going through the CUEC exercise, I mean the usual.... essentially identifying the controls that are relevant and then having someone (application owner, etc.) document what internal controls/processes/etc. are in place to satisfy the control. Thank you!



  • 2.  RE: When do you worry about the CUEC's?

    Posted 12-17-2024 11:52 AM

    We map CUEC's for our Critical Third Parties.




  • 3.  RE: When do you worry about the CUEC's?

    Posted 12-17-2024 12:23 PM

    Good afternoon

     

    I fill out all of the CUEC's when completing vendor reviews.  If the policy does not apply to technology, then the vendor owner has to supply me with the name of the policy/procedure for the corresponding controls.  It is time consuming, but our auditors expect it to be done.

     

    Thanks,



    Kelli Shoup | Tech Support Lead/Info Security Specialist

    The Farmers Bank


    This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.






  • 4.  RE: When do you worry about the CUEC's?

    Posted 12-17-2024 12:54 PM

    We only map the critical vendors that provide us with their CUEC, unless its necessary for lower rated vendors. 

    How do you all map your controls internally? Is it in depth details or short and sweet? 




  • 5.  RE: When do you worry about the CUEC's?

    Posted 12-17-2024 02:34 PM

    We only do this for critical vendors who provide SOC reports we can assess.