Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Supply Chain Information Security Risk Assessment

    Posted 01-31-2022 04:34 PM

    Hi everyone,

     Does anyone have a Supply Chain 3rd Party Information Security Risk Assessment template they could share or have ideas on items you have reviewed previously for those vendors?  We currently evaluate IT and Service Providers and are branching out to Supply Chain as well.  I have the base Information Security type items such as policy review, background checks, system monitoring, etc. but curious what other questions might be asked on this front.

    Thanks!



  • 2.  RE: Supply Chain Information Security Risk Assessment

    Posted 01-31-2022 04:58 PM
    Hi Jamie,
    Thanks for being active today!  

    It seems fitting since early 2020, to raise the bar on the support personnel that your third parties involve that access your systems.   We added cyber awareness training certificates (checked multiple times per year) and skills-certificates (i.e., Oracle, Linux, etc.) in addition the the person-to-person interviews, experience and reference checking we did in the past.

    Someone estimated that over 20 percent of service vendors are on one end or the other of mergers and acquisitions -- and are service professionals and teams merge, we don't want someone unqualified learning in our environment.  We also saw mergers result in disappearance of patch and other testing resources in our vendors and so had to make local accommodations before they can access or update live systems.

    For those companies that have direct access (via trusted site-to-site VPN, etc.) of our core infrastructure, in addition to annual reviews of official documents (SOC2 Type II reports, questionnaires, etc.), we have decided to require each person that has an account to access our resources, even under a MSA, must provide regular proof of third party training certificates covering cybersecurity, phishing, HIPAA, etc. 

    I mainly rely on the services contact for service contract renewals and personnel as usual person that provides screenshots or PDF image documents as proof of cyber awareness training.  

    The good news is the new scrutiny seems welcomed, has been well received and we are thinking of requiring proof of system specific requirements (operating system, database, etc) in forms of formal training and/or certifications.   

    Larry