If both the vendor and your SME are telling you that your NPI is all local, then that's generally enough.
It's similar to buying a bookcase, in that regard.
The bookcase came from a vendor, but your data – the books- are still in your house and under your control. [lower risk, generally]
The riskier NPI access would be where you are actually storing the information somewhere else.
In that case, you're storing your books somewhere else. When you want them, you get them delivered to you. [higher risk]
And if it's a limited edition book [NPI], then it could be a high risk.
Another example: smaller banks typically use a third party to host their core applications, which certainly include Non Public Information.
In that case, the NPI is on their servers, and needs to be protected in when in use, in transit, and at rest.
Thanks,
Dave
David Howe, CCUFC
Chief Information Officer
Original Message:
Sent: 12/26/2023 1:22:00 PM
From: Anonymous Member
Subject: NPI Access
This message was posted by a user wishing to remain anonymous
I am new to third party risk with little IT/IS background, so forgive me for this question.
Recently I was told that a Vendor (application) does not have access to our customer NPI that we enter or store, because applications are housed and managed on our network. Vendor does not touch our data.
I verify with our SME and was told the same thing. Would this be correct? I am very confused with NPI access.
Thank you in advance.