I have a Monitored and Non-Monitored classification written into Policy. For the VARs they fall into the Non-Monitored bucket..
That said. Every vendor/third party needs to go through Basic Due Diligence.
That consists of a Vendor Registration process, where they provide the basic information about who they are, if they have a parent company, ask for their NACIS codes and DUNS#; they have to clear an OFAC/PEP screening, provide w-9/w-8 and sign/agree to Supplier Code of Conduct; we are also asking about ESG and Supplier Diversity information. I call it the KYV (Know Your Vendor) process (a play on KYC used at Banks; lol).
And for the VARs they have to agree to our Master Purchasing Agreement, which has language regarding Security requirements, which includes the obligation to ensure all hardware devices are free of viruses, malware, etc.
but its not a blanket category free pass... some VARs may provide Services above and beyond facilitating the HD/SW purchase. In those cases we review the Service and determine if there are additional due diligence necessary relative to the risk of the services being performed.
So I guess it depends on what hardware; if there's ancillary services and if you need to license any thing in the course of the purchase.
Most of the hardware we purchase is going to get scrubbed with IT re-imaging the drive and loading a standard image; so we're mitigating most of the risk of bad stuff living in the hardware...
------------------------------
Bradley Martin
------------------------------
Original Message:
Sent: 08-24-2022 03:11 PM
From: Pamela Rackley
Subject: Hardware Vendor - Due Diligence
Hi All. We have a hardware vendor that we purchase our laptops from and I am curious what types of due diligence you request from hardware vendors. Most of what we typically ask for doesn't seem relevant. Inherent risk is low, as they are easily replaced and obviously do not have any access to data, so I am just not sure what to request. Would love to know what others request from these types of vendors. TIA!
------------------------------
Pam Rackley
Risk Analyst
------------------------------