It depends on how you qualify low risk. For us low risk means vendor does not have any sensitive information, in not relied upon for any service (including support services for on prem solutions), and does not have any access to our infrastructure etc. In this instance, we only request insurance for those that will be on site at any of locations (Janitors, printer service, alarm service etc.).
Then we have our moderate low risk where we perform due diligence every other year but still continue to do insurance tracking annually.
Original Message:
Sent: 02-17-2023 11:45 AM
From: Tanya Dunaway
Subject: Low Risk Vendors
If a vendor is considered low risk and the oversight task frequency is every three years. Is it a best practice to still obtain a COI yearly?