Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Document destruction vendors

    This message was posted by a user wishing to remain anonymous
    Posted 12-04-2023 12:39 PM
    This message was posted by a user wishing to remain anonymous

    How do you risk classify document destruction vendors?

    In the past we have classified them as low risk, but recently we decided to classify any vendor with access to Process, Store, Manage, View/Add/modify, Transport, Disposable of, Transmit NPPI as high risk. 

    Does anybody else classify document destruction vendors as high risk? What level of due diligence do you perform?

    looking forward to any comments.



  • 2.  RE: Document destruction vendors

    This message was posted by a user wishing to remain anonymous
    Posted 12-04-2023 01:03 PM
    This message was posted by a user wishing to remain anonymous

    We rate document storage/destruction vendors as high risk due to NPPI, and perform a complete due diligence review annually. 


    Original Message


  • 3.  RE: Document destruction vendors

    Posted 12-04-2023 01:04 PM

    They are high risk due to the access to Bank confidential information, customer NPPI and employee NPPI

     

    image003.png@01D94DD5.FC8EF3A0

     

    Gene Fox

    VP, Third-Party Risk Management Officer

    -------------------------------------------

     

    Allegiance Bank and CommunityBank of Texas have merged to become Stellar Bank.

     



    Important Message to our valued customers: Fraud, phishing and e-mail compromise are on the rise.

    Do not change payment instructions on wires or ACH without calling the person you are paying using a trusted phone number (NOT e-mail).


    NOTICE TO RECIPIENTS: The information contained in and accompanying this communication may be confidential, subject to legal privilege, or otherwise protected from disclosure, and is intended solely for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that the use, distribution, disclosure or reproduction of the message or attachments, as well as any reliance thereon, is prohibited. In such a case, please notify the sender by return e-mail immediately and erase all copies of the message and any attachments. This communication does not reflect an intention by the sender, Stellar Bank ("Stellar"), to conduct a transaction or make any agreement by electronic means. Unless a specific statement to the contrary is included herein, nothing contained within either this message or any attachment shall satisfy the requirements for a writing, and nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act (ESIGN), any version of the Uniform Electronic Transactions Act (UETA), or any other statute governing electronic transactions. The recipient should check this e-mail and any attachments for the presence of viruses. We accept no liability for any loss or damage from the receipt or use of any e-mail transmission. We reserve the right to monitor all e-mail communications through our network.

    We will never request that you provide personal or financial information via unsecured e-mail. Please report to us any suspicious e-mails you receive that request personal or financial information and claim to be from us.




    Original Message


  • 4.  RE: Document destruction vendors

    This message was posted by a user wishing to remain anonymous
    Posted 12-04-2023 03:30 PM
    This message was posted by a user wishing to remain anonymous

    I'll give you the standard consultant answer...it depends.

    They need to be classified based on the classification of information that they will be handling.


    Original Message


  • 5.  RE: Document destruction vendors

    This message was posted by a user wishing to remain anonymous
    Posted 12-04-2023 03:31 PM
    This message was posted by a user wishing to remain anonymous

    Our organization rates our document shredding vendor as residually low risk. We mitigate the inherent high risk by having our employees physically present when the vendor empties the shred containers. Our staff then supervises the instant, on-site shredding process, which basically turns the documents into confetti. Our documents are never left unattended in their whole form. The shredding trucks are equipped with video cameras to live-view the destruction of all documents.

    The vendor provides a standard due diligence packet that typically includes NAID certificates, insurance certificates, etc.


    Original Message


  • 6.  RE: Document destruction vendors

    This message was posted by a user wishing to remain anonymous
    Posted 12-04-2023 04:29 PM
    This message was posted by a user wishing to remain anonymous

    How do you manage destruction of physical devices that contain or contained sensitive information?


    Original Message


  • 7.  RE: Document destruction vendors

    This message was posted by a user wishing to remain anonymous
    Posted 12-04-2023 04:28 PM
    This message was posted by a user wishing to remain anonymous

    Our document destruction vendor is classified as Critical as they are also our offsite storage.  Unfortunately since they are a smaller company, we do not get a full Due Diligence package from them every year and we document that.

    If they were just doing document shredding for us, their rating would be lower as shredding/destruction is done on-site.  An employee is required to walk with the vendor employee to obtain the shred bin and accompany them outside and watch the destruction and then walk back inside with them.    


    Original Message