Due Diligence and Ongoing Monitoring

Hi All.  We have a hardware vendor that we purchase our laptops from and I am curious what types of due diligence you request from hardware vendors.  Most of what we typically ask for doesn't seem relevant.  Inherent risk is low, as they are easily replaced and obviously do not have any access to data, so I am just not sure what to request.  Would love to know what others request from these types of vendors.  TIA!


------------------------------
Pam Rackley
Risk Analyst
------------------------------

I have a Monitored and Non-Monitored classification written into Policy. For the VARs they fall into the Non-Monitored bucket.. 
That said. Every vendor/third party needs to go through Basic Due Diligence. 
That consists of a Vendor Registration process, where they provide the basic information about who they are, if they have a parent company, ask for their NACIS codes and DUNS#; they have to clear an OFAC/PEP screening, provide w-9/w-8 and sign/agree to Supplier Code of Conduct; we are also asking about ESG and Supplier Diversity information. I call it the KYV (Know Your Vendor) process (a play on KYC used at Banks; lol). 

And for the VARs they have to agree to our Master Purchasing Agreement, which has language regarding Security requirements, which includes the obligation to ensure all hardware devices are free of viruses, malware, etc.
but its not a blanket category free pass... some VARs may provide Services above and beyond facilitating the HD/SW purchase. In those cases we review the Service and determine if there are additional due diligence necessary relative to the risk of the services being performed.  

So I guess it depends on what hardware; if there's ancillary services and if you need to license any thing in the course of the purchase. 
Most of the hardware we purchase is going to get scrubbed with IT re-imaging the drive and loading a standard image; so we're mitigating most of the risk of bad stuff living in the hardware...

------------------------------
Bradley Martin
------------------------------

Original Message:
Sent: 08-24-2022 03:11 PM
From: Pamela Rackley
Subject: Hardware Vendor - Due Diligence

Hi All.  We have a hardware vendor that we purchase our laptops from and I am curious what types of due diligence you request from hardware vendors.  Most of what we typically ask for doesn't seem relevant.  Inherent risk is low, as they are easily replaced and obviously do not have any access to data, so I am just not sure what to request.  Would love to know what others request from these types of vendors.  TIA!


------------------------------
Pam Rackley
Risk Analyst
------------------------------

@Bradley Martin - Thanks so much for your detailed response.  I found it very helpful and appreciate that you took the time to respond and share your knowledge.  Thank you!​

------------------------------
Pam Rackley
Risk Analyst
------------------------------

Original Message:
Sent: 08-24-2022 06:21 PM
From: Bradley Martin
Subject: Hardware Vendor - Due Diligence

I have a Monitored and Non-Monitored classification written into Policy. For the VARs they fall into the Non-Monitored bucket.. 
That said. Every vendor/third party needs to go through Basic Due Diligence. 
That consists of a Vendor Registration process, where they provide the basic information about who they are, if they have a parent company, ask for their NACIS codes and DUNS#; they have to clear an OFAC/PEP screening, provide w-9/w-8 and sign/agree to Supplier Code of Conduct; we are also asking about ESG and Supplier Diversity information. I call it the KYV (Know Your Vendor) process (a play on KYC used at Banks; lol). 

And for the VARs they have to agree to our Master Purchasing Agreement, which has language regarding Security requirements, which includes the obligation to ensure all hardware devices are free of viruses, malware, etc.
but its not a blanket category free pass... some VARs may provide Services above and beyond facilitating the HD/SW purchase. In those cases we review the Service and determine if there are additional due diligence necessary relative to the risk of the services being performed.  

So I guess it depends on what hardware; if there's ancillary services and if you need to license any thing in the course of the purchase. 
Most of the hardware we purchase is going to get scrubbed with IT re-imaging the drive and loading a standard image; so we're mitigating most of the risk of bad stuff living in the hardware...

------------------------------
Bradley Martin

Original Message:
Sent: 08-24-2022 03:11 PM
From: Pamela Rackley
Subject: Hardware Vendor - Due Diligence

Hi All.  We have a hardware vendor that we purchase our laptops from and I am curious what types of due diligence you request from hardware vendors.  Most of what we typically ask for doesn't seem relevant.  Inherent risk is low, as they are easily replaced and obviously do not have any access to data, so I am just not sure what to request.  Would love to know what others request from these types of vendors.  TIA!


------------------------------
Pam Rackley
Risk Analyst
------------------------------

Since the SolarWinds vulnerability you also have to understand what you buying and where in your infrastructure you are plugging that. So while it maybe a hardware/software item that is on premise once you purchase, you may rely on vendor for upgrades, trouble shooting, support service, etc.  From this perspective it is good to know vendors financial health, end of life plans on products, maintenance etc.  For support of such hardware/software, you may fall back on your organizations BCDR if there is a disruption but if your backup fails and you need the vendor, you maybe need them within a few hours as it could be a big impact internally. Then understanding the vendors controls around support services, RTO etc. becomes important.  This would also depend on your organizations risk appetite and tolerance, and TPRM resource constraints etc. because you cant monitor everything and probably need to do the risk based approach of what you want to evaluate.
Original Message:
Sent: 08-25-2022 10:58 AM
From: Pamela Rackley
Subject: Hardware Vendor - Due Diligence

@Bradley Martin - Thanks so much for your detailed response.  I found it very helpful and appreciate that you took the time to respond and share your knowledge.  Thank you!​

------------------------------
Pam Rackley
Risk Analyst

Original Message:
Sent: 08-24-2022 06:21 PM
From: Bradley Martin
Subject: Hardware Vendor - Due Diligence

I have a Monitored and Non-Monitored classification written into Policy. For the VARs they fall into the Non-Monitored bucket.. 
That said. Every vendor/third party needs to go through Basic Due Diligence. 
That consists of a Vendor Registration process, where they provide the basic information about who they are, if they have a parent company, ask for their NACIS codes and DUNS#; they have to clear an OFAC/PEP screening, provide w-9/w-8 and sign/agree to Supplier Code of Conduct; we are also asking about ESG and Supplier Diversity information. I call it the KYV (Know Your Vendor) process (a play on KYC used at Banks; lol). 

And for the VARs they have to agree to our Master Purchasing Agreement, which has language regarding Security requirements, which includes the obligation to ensure all hardware devices are free of viruses, malware, etc.
but its not a blanket category free pass... some VARs may provide Services above and beyond facilitating the HD/SW purchase. In those cases we review the Service and determine if there are additional due diligence necessary relative to the risk of the services being performed.  

So I guess it depends on what hardware; if there's ancillary services and if you need to license any thing in the course of the purchase. 
Most of the hardware we purchase is going to get scrubbed with IT re-imaging the drive and loading a standard image; so we're mitigating most of the risk of bad stuff living in the hardware...

------------------------------
Bradley Martin

Original Message:
Sent: 08-24-2022 03:11 PM
From: Pamela Rackley
Subject: Hardware Vendor - Due Diligence

Hi All.  We have a hardware vendor that we purchase our laptops from and I am curious what types of due diligence you request from hardware vendors.  Most of what we typically ask for doesn't seem relevant.  Inherent risk is low, as they are easily replaced and obviously do not have any access to data, so I am just not sure what to request.  Would love to know what others request from these types of vendors.  TIA!


------------------------------
Pam Rackley
Risk Analyst
------------------------------