We only map the critical vendors that provide us with their CUEC, unless its necessary for lower rated vendors.
How do you all map your controls internally? Is it in depth details or short and sweet?
Original Message:
Sent: 12-17-2024 12:16 PM
From: Kelli Shoup
Subject: When do you worry about the CUEC's?
Good afternoon
I fill out all of the CUEC's when completing vendor reviews. If the policy does not apply to technology, then the vendor owner has to supply me with the name of the policy/procedure for the corresponding controls. It is time consuming, but our auditors expect it to be done.
Kelli Shoup | Tech Support Lead/Info Security Specialist |

The Farmers Bank |
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Original Message:
Sent: 12/17/2024 10:08:00 AM
From: Anonymous Member
Subject: When do you worry about the CUEC's?
This message was posted by a user wishing to remain anonymous
Hi -
Our department isn't resourced to go through the CUEC exercise for every third-party that provides a SOC. We are considering doing the CUEC's only for those third parties where any of the following apply: those with High inherent risk, those that are considered Critical, those with access to sensitive data.
Would anyone else care to share how they make the decision about when to worry about the CUECs? And for clarity...when I say going through the CUEC exercise, I mean the usual.... essentially identifying the controls that are relevant and then having someone (application owner, etc.) document what internal controls/processes/etc. are in place to satisfy the control. Thank you!