Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Physical Site Visits of High Risk Vendors

    Posted 17 days ago

    Good Afternoon,

    Does anyone do physical site visits of their high-risk vendors? 

    Really curious how many actually do this.  Thanks in advance for answering!

    Lori Collins, NCCO, CRVPM II



  • 2.  RE: Physical Site Visits of High Risk Vendors

    Posted 17 days ago

    We have done them in the past, but don't any longer. It actually used to be one of the questions on our DD questionnaire. Our vendor just recently removed it for the reason it is no longer relevant, post Covid.

     

    Cheryl




    Original Message


  • 3.  RE: Physical Site Visits of High Risk Vendors

    Posted 17 days ago

    Thanks so much!

     

    Lori Collins, NCCO, CRVPM II

    Manager, Vendor Management

     

    CONFIDENTIALITY NOTICE: This email, including any attachments, contains information from Redstone Federal Credit Union which may be confidential. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this email in error, please notify the sender immediately by "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.

     




    Original Message


  • 4.  RE: Physical Site Visits of High Risk Vendors

    Posted 17 days ago

    We still do - especially for new vendors or after material changes to their operations. If something goes wrong, I don't want to be the one explaining why we never laid eyes on their physical plant/facilities.



    ------------------------------
    Bridgette
    ------------------------------

    Original Message


  • 5.  RE: Physical Site Visits of High Risk Vendors

    Posted 17 days ago

    If allowed by contract, we visit all critical vendors at least annually. 


    Original Message


  • 6.  RE: Physical Site Visits of High Risk Vendors

    Posted 17 days ago

    Hi, you have to think about what the specific "high" risk is that is associated with the vendor.  Is there a physical risk to observe?  We do not permit customer onsite audits as a vendor, even though we are "high risk" because the various physical risks that are articulated by our customers are actually present within our cloud environments which are NOT running at any company physical location.  Are they storing your company's sensitive data onsite within a datacenter managed at their facility?  Then yes, an onsite would be expected.

     

    Frank

     

     

    Original Message

    Good Afternoon,

    Does anyone do physical site visits of their high-risk vendors? 

    Really curious how many actually do this.  Thanks in advance for answering!

    Lori Collins, NCCO, CRVPM II



  • 7.  RE: Physical Site Visits of High Risk Vendors

    Posted 16 days ago

    Hi Lori-

    We had stopped site visits during COVID and were doing some reviews with a virtual walk through. Our regulator in 2023 strongly suggested that we evaluate resumption of visits where it made sense in 2024. So we are doing site visits for multiple critical vendors this year.  I know some shops that took their travel allotments out of their budgets and now they are fighting to get it back. I did not have that problem- thank goodness!          Good Luck! 



    ------------------------------
    Jenn Wilkinson
    Vice President
    Third Party Risk Management
    Cenlar FSB
    ------------------------------

    Original Message


  • 8.  RE: Physical Site Visits of High Risk Vendors

    Posted 16 days ago

    We also discontinued onsite assessments during Covid and are re-evaluating. We are trying to fully understand what value the onsites would provide outside of the third-party datacenter. Can you provide some additional details on what you're looking at during the onsites outside of the datacenter controls and possibly other physical controls, such as building access, cameras, etc?



    ------------------------------
    Wendy Dickson
    Third Party Risk Manager
    ------------------------------

    Original Message


  • 9.  RE: Physical Site Visits of High Risk Vendors

    Posted 16 days ago

    The on site gives us the opportunity to ensure the vendor does adhere and enforce their policies and procedures (clean desk, security/access etc.) As well as the physical security in general.  For those vendors who do not share their policies and procedures unless viewed on site- then we go there to conduct a review of them and tour the location. The tour allows us to see the work being done in many cases so we can assess the condition of the workspace as well as see who is doing the work. We use the visit as the opportunity to evaluate the leadership of the vendor in all areas of significance for us such as: HR, IT,  Training, Operations, Compliance, Vendor Management, Risk and Security where we are able to get assurance that they all have the level of competence we would expect from a critical vendor.   We can shadow processes the vendor does for us  as well which can be assuring or open the door for risks or concerns depending on the situation.   



    ------------------------------
    Jenn Wilkinson
    Vice President
    Third Party Risk Management
    Cenlar FSB
    ------------------------------

    Original Message