Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Vendor Questionnaires - software vendors without NPI access

    This message was posted by a user wishing to remain anonymous
    Posted 03-23-2022 09:30 AM
    This message was posted by a user wishing to remain anonymous

    We use a SIG Lite for vendors who are accessing our systems or have access to NPI or MNPI. What do folks use for vendors who operate external dbs which your employees may access periodically via a user account to conduct searches? Still something as extensive as a SIG Lite, or is there a briefer questionnaire which you're using?


  • 2.  RE: Vendor Questionnaires - software vendors without NPI access

    Posted 03-29-2022 09:22 AM

    Hi there

    If I understand the question correctly, you are wondering about due diligence requirements for something like a subscription data service, where the provider has no access to your data or systems. If that is the case, you certainly can dial down the due diligence because the risk is relatively low. While SIG questionnaires are excellent for higher and more complex information security and privacy risks, they can be overkill when the risk is low. Because vendor risk questionnaires vary by organization, I can't recommend a specific assessment. If you create a specific assessment for this use case or are using an existing assessment, you should run it by your information security SME just to make sure all your bases are covered, and the applicable risks are considered.

    I hope that answer helps, but I am always interested in hearing from other members.

     




  • 3.  RE: Vendor Questionnaires - software vendors without NPI access

    Posted 03-29-2022 09:53 AM
    ​Hilary's point is correct that the overall risk is significantly lower if there is no information passing into the vendor's control.  There is however one associated factor to consider.  If the subscription data that you are receiving from the vendor are then incorporated into you own products or services there is a compelling interest in the integrity of that data coming from an environment that has all of the requisite controls and protections that ensure your confidence in using it as the foundation to build your services (and to protect your reputation).  In that context, it is certainly still appropriate to conduct due diligence even if you are not sharing your data.

    ------------------------------
    L. Beachy
    ------------------------------