While there are some types of vendors we can safely exclude from TPRM programs (public utilities, government entities, sponsorships, donations, media subscriptions, etc.) Third parties providing a product or service to the organization should generally be kept in scope.
Colliers is a real estate management company. Let's suppose they are the landlords of your office building. In this case, they likely have unescorted access to your offices day and night and hire cleaning crews and security personnel (information security risk). They are responsible for life safety systems such as smoke alarms and fire suppression (operational risk). And remote access to HVAC, electrical, lighting, security, safety, and building management systems is becoming more common.
Unauthorized access to a building's system can harm a tenant financially, disrupt their business, and destroy their property. For example, if a hacker gained access to temperature control in a data center warehouse and raised the temperature by 6 or 7 degrees, the results could be devastating.
No matter what type of vendor it is, your inherent risk assessment should help your organization understand the risks by asking standardized questions.
So for Colliers, put them through an inherent risk assessment. It should be clear how to handle the relationship once you can identify the risks.
I hope that helps, but I would love to hear from other members on this topic.
Original Message:
Sent: 02-09-2023 03:50 PM
From: Anonymous Member
Subject: Management Company
This message was posted by a user wishing to remain anonymous
Should a management company like (Colliers) be including in the vendor management program?