Policy, Program and Procedures

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

Brian ... PCI is addressed in our Information Technology Network Security Policy, not our vendor management policy. If PCI is involved with a vendor it is covered in our contract language.

------------------------------
Susan Czarnowski
Director of Business Continuity
Arizona Federal Credit Union
------------------------------

Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

GM Susan

Agree with Brian.  The VRMO policy, like most policies should be specifically vague.  For example,  "SMEs are required to perform Due Diligence activities commensurate to the Inherent Risk Rating using industry standards, such as ...."

The actual standards used under specific situations and the processes followed are at the SME level - that is in this case for the InfoSec Team policy, procedures and standards

If any Policy is that specific re calling out a particular standard, you would be updating policies much more often than you should be,  I think, in general,  it would start to become more complex and prone to error re keeping policies, high level docs, inline with changing standards

happy to chat further

Regards
Original Message:
Sent: 11-04-2021 01:33 PM
From: Susan Czarnowski
Subject: PCI covered in Vendor Management Policy

Brian ... PCI is addressed in our Information Technology Network Security Policy, not our vendor management policy. If PCI is involved with a vendor it is covered in our contract language.

------------------------------
Susan Czarnowski
Director of Business Continuity
Arizona Federal Credit Union

Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

We don't include as a requirement in our TPRM Policy however procedurally we do request a copy of the certification as part of initial and ongoing due diligence and will also validate status

Visa Global Registry of Service Providers - Search Results

Thanks,
Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

Gee Catherine,

I would like to see your method. This has been like trying to nail jello to a tree. 

Thanks!!
Original Message:
Sent: 11-06-2021 11:25 AM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

Catherine, would you mind sharing that methodology with me as well?
Original Message:
Sent: 11-08-2021 08:28 AM
From: Mark Eden
Subject: PCI covered in Vendor Management Policy

Gee Catherine,

I would like to see your method. This has been like trying to nail jello to a tree. 

Thanks!!
Original Message:
Sent: 11-06-2021 11:25 AM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

Catherine,

I'd really appreciate anything additional you are willing to share on your processes!
Original Message:
Sent: 11-06-2021 11:25 AM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

Hi, you are welcome to my diagram. I have called it a management system but really it is just the list of document types.
The image (deliver compliant services) is a visual representation of how the bits fit together to produce a capability and a service (e.g., the service could be vendor management). 
Feel free to use it and to contact me if you want to discuss any of it. 
Run wild and free
Original Message:
Sent: 11-08-2021 10:23 AM
From: Ellie Lombardo
Subject: PCI covered in Vendor Management Policy

Catherine,

I'd really appreciate anything additional you are willing to share on your processes!
Original Message:
Sent: 11-06-2021 11:25 AM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

Thank you for sharing this, Catherine!

-Mark
Original Message:
Sent: 11-08-2021 04:50 PM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

Hi, you are welcome to my diagram. I have called it a management system but really it is just the list of document types.
The image (deliver compliant services) is a visual representation of how the bits fit together to produce a capability and a service (e.g., the service could be vendor management). 
Feel free to use it and to contact me if you want to discuss any of it. 
Run wild and free
Original Message:
Sent: 11-08-2021 10:23 AM
From: Ellie Lombardo
Subject: PCI covered in Vendor Management Policy

Catherine,

I'd really appreciate anything additional you are willing to share on your processes!
Original Message:
Sent: 11-06-2021 11:25 AM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

I would love to see your diagram if you are willing to share with me as well. I love seeing what others use!

------------------------------
Sheila Freyou

Director, Vendor Management
Celebrity Home Loans, LLC
------------------------------

Original Message:
Sent: 11-09-2021 08:13 AM
From: Mark Eden
Subject: PCI covered in Vendor Management Policy

Thank you for sharing this, Catherine!

-Mark
Original Message:
Sent: 11-08-2021 04:50 PM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

Hi, you are welcome to my diagram. I have called it a management system but really it is just the list of document types.
The image (deliver compliant services) is a visual representation of how the bits fit together to produce a capability and a service (e.g., the service could be vendor management). 
Feel free to use it and to contact me if you want to discuss any of it. 
Run wild and free
Original Message:
Sent: 11-08-2021 10:23 AM
From: Ellie Lombardo
Subject: PCI covered in Vendor Management Policy

Catherine,

I'd really appreciate anything additional you are willing to share on your processes!
Original Message:
Sent: 11-06-2021 11:25 AM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks

Original Message:
Sent: 11/9/2021 12:24:00 PM
From: Sheila Freyou
Subject: RE: PCI covered in Vendor Management Policy

I would love to see your diagram if you are willing to share with me as well. I love seeing what others use!

------------------------------
Sheila Freyou

Director, Vendor Management
Celebrity Home Loans, LLC
------------------------------

Original Message:
Sent: 11-09-2021 08:13 AM
From: Mark Eden
Subject: PCI covered in Vendor Management Policy

Thank you for sharing this, Catherine!

-Mark
Original Message:
Sent: 11-08-2021 04:50 PM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

Hi, you are welcome to my diagram. I have called it a management system but really it is just the list of document types.
The image (deliver compliant services) is a visual representation of how the bits fit together to produce a capability and a service (e.g., the service could be vendor management). 
Feel free to use it and to contact me if you want to discuss any of it. 
Run wild and free
Original Message:
Sent: 11-08-2021 10:23 AM
From: Ellie Lombardo
Subject: PCI covered in Vendor Management Policy

Catherine,

I'd really appreciate anything additional you are willing to share on your processes!
Original Message:
Sent: 11-06-2021 11:25 AM
From: Catherine kincaid
Subject: PCI covered in Vendor Management Policy

HI Brian,

I have been writing policies, mostly IT, and participating in either designing or testing internal controls, for the past 25 years. Because we don't have a universally accepted definition of what a policies is, I will give you my 2 cents worth (P.S. you can decide on a definition of policy, rule, standard, process, procedure, practice, guide etc as long as everyone at your company agrees that's what they mean). I am happy to send you my diagram with defiinitions if that is at all  helpful.

Policies are statements of intent - they don't contain procedures, requirements (standards) or rules or processes -- those are all different types of documents that support a policy. When an auditor makes a suggestion about something being in a 'policy' I have never taken that to mean literally a policy but any governance document (where it fits best). An auditor is looking that you have documented and enforced 'something'. My experience is they use that word to be any governance document. 

I also don't like the idea that a policy is a rule or a directive (a rule is a specific, actionable, testable rule  that is under the control of the business and supports a business policy, e.g., no smoking.)

An intent (policy statement) for a Third-Party Risk Management policy is "All potential third-party suppliers are assessed for their criticality to Company ABC and for each, a risk assessment, including cyber security, is established with corresponding controls and metrics. Third parties are continuously monitored for changes in their risk profile". This example Policy rarely needs to be updated because your intent tends to stay the same but how you assess a third party (process) or on what requirements (what sort of encryption standard or other requirement is needed from them), or procedures can change based on need. In most organizations changing or updating standards, procedures processes is usually much faster and easier than a policy. 

Then you could have a gabillion standards (requirements for different risk categories of suppliers if that  was appropriate), processess and procedures.
Original Message:
Sent: 11-04-2021 01:00 PM
From: Brian Bowen
Subject: PCI covered in Vendor Management Policy

Looking for some suggestions...   We received a suggestion from and IT Auditor that we needed to include information in our vendor management policy pertaining to PCI for those vendors that this would be applicable.  Do any of you address this in your vendor management policy?  If so, please share.

Thanks