Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Large Scale Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 02-17-2022 03:11 PM
    This message was posted by a user wishing to remain anonymous

    I am responsible for vendor management at a smaller, local bank. We use some large scale vendors, particularly in IT, to help us compete with our larger competitors. However, I am having a hard time reviewing these vendors (Microsoft & AWS to name a few) because they will not give me all the due diligence I request. How can I still complete my review if I cannot review all of the documents I need?

    My initial thought is to create an issue for all of the missing documents, assign it to the business unit leader, and have that person accept the risk. Are there any other ideas?


  • 2.  RE: Large Scale Vendors

    Posted 02-17-2022 03:52 PM

    Hello,

     

    Larger vendors such as those can be challenging at times.  I have run into this as well but in pushing back, making them aware that items such as a SOC2 are meant to show your customers you are in compliance, they have sent them over.  It usually depends on what you are asking for, how often, and what they do for you.  A call even with their head of IT Security usually results in getting documentation.

     

    A couple things you can try –

    • As you mentioned, open High Issues, taking that to the relation ship owners and leadership explaining the situation.  Getting scorecards from tools such as Security Scorecard, Recorded Future, etc., will also show the risk ratings of these vendors, who are always trying to be hacked, and why you want to make sure you have the proper documentation
    • Compliance requirements – Show the vendor what requirements you have to have as a financial organization, of which as a supplier, they are in line to help with
    • Worst case, do your contracts state you can audit and what they must share? 

     

    Jamie Sumter

    IT Risk Management Lead

    Clarios


    Original Message


  • 3.  RE: Large Scale Vendors

    Posted 02-17-2022 04:08 PM
    On top of what Jamie stated, it is not the most user friendly website, but Microsoft does have a Trust Center where you can find some due diligence documentation.  
    Cloud Data Integrity at its Finest | Microsoft Trust Center


    However, document, document, document, any attempts you make.

    Melissa
    Original Message