Latest Discussions

This message was posted by a user wishing to remain anonymous I review Trans Union annually and although there are a lot of complaints, we take it as the nature of the business they provide. For them, we primarily focus on the business aspect and how ...

Hi All, How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings ...

This message was posted by a user wishing to remain anonymous Can you share the questionnaire you use and send for ongoing monitoring of critical vendor or vendors who you are sending personal / regulated data? Is it the same as the one used during ...

Material or critical fourth parties can still expose your organization to risk, so you're definitely on the right track of wanting to identify them. The good news is that these critical fourth parties can be identified in your third parties' SOC ...

This message was posted by a user wishing to remain anonymous Yes we have service agreements with our appropriate contractual protections and conduct due diligence oversight commensurate with our risk matrix due to NPII and HIPPA data.

Thanks Tracey, this is very helpful. I will check out what you suggest, then go from there. Oh, good grief. Another name change. Lucky us. LOL. Take Care! Cheryl

This message was posted by a user wishing to remain anonymous I work for a publicly traded company in the oil and gas industry. Do most companies have an MSA with their occupational healthcare providers? We use a couple companies to do our drug screening ...

Hi Cheryl! We do not use the CCM module, however I just did a quick scan through the SOC report, and I think you are spot on that it covers those services too! On Pages 14 and 19 of the most recent 2023 SOC 2 Type 2 Card Services reports, it references ...

Cheryl, If you can email me your contact info I can assist. I do believe it's covered in Card SOC and I can help point you to that direction. Veralyn Hensley SVP, Director of Vendor Management Mechanics Bank

Do you use the CCM Module at Fiserve, Tracey? They have a couple different SOC reports. I recently came across a Card Services SOC. I'm trying to figure out if that report covers CCM, and rather than answer my question, they keep sending me new DD Documents. ...

Good morning! I'm hoping this will help! For a good portion of the due diligence and monitoring documentation we collect, I go through the Client360 portal that Fiserv has, and search mostly for 'Compliance' in the Publications section. Do you have ...

This message was posted by a user wishing to remain anonymous We review their SOC report, and their FFIEC report which we obtain from our regulator as well as collect insurance and evidence of security testing.

Suggest that D&B reports have questionable value for TPVM. The information has substantial timing issues, particularly since it relies on creditor provided information. Public record resources for litigation, UCC filings and, where applicable, operating ...

Hello, I recently became aware of the Dun and Bradstreet report. I wanted to see if others are leveraging this report in their TPRM due diligence. If so, do you purchase the report or are you requesting it from the vendor? Do you find much value and ...

Typically if a vendor has different products/services, we will complete a separate vendor risk assessment based on whether there are specific due diligence documents for specific products/services. If the due diligence documents reflect the company as ...

This message was posted by a user wishing to remain anonymous Good morning, Does anyone have any recommended best practice/approach to vendor due diligence with the big F? We currently have Fiserv as a vendor and unsurprisingly, it is a critical component ...

I'm glad my answer was helpful! The CAIQ I mentioned before is designed to assess the security controls of all three providers – SaaS, IaaS, and PaaS. The questionnaire contains yes/no questions, which makes it easy to determine whether the provider is ...

Good day Jamie, Thank you for this insightful information - much appreciated! What we attempt in our assessment (my team is only responsible for the Security assessment aspect) we have the basic questions in terms of Security posture, policies, ISMS ...

This message was posted by a user wishing to remain anonymous Thank you for this insightful information Christine! How would you recommend vetting for IaaS and PaaS supplier (only in terms of the Security Controls)? Anyone in the community using ...

Michael, please see the HECVAT (Higher Education Cloud Vendor Assessment Tool) that's used by Universities to assess cloud vendors. These questions apply to any cloud vendor. Here's the link: Higher Education Community Vendor Assessment Toolkit | EDUCAUSE ...