In order to determine what due diligence is required for these 2 social media companies you referenced - assuming that Yelp and Google are, in fact, In-scope for your organization, the webinar linked to this response, which focused on Risk-Based Vendor Due Diligence provides lists of documentation for collection and validation.
I'd be interested in what others think.
Original Message:
Sent: 03-03-2023 03:47 PM
From: Anonymous Member
Subject: Social Media
This message was posted by a user wishing to remain anonymous
Hi Jill,
What kind of due diligence is required for Yelp or Google?
Thanks
Original Message:
Sent: 03-02-2023 01:20 PM
From: Jill Sherman
Subject: Social Media
Hi,
To determine if a third party should be considered in a third-party risk management program, it is necessary to establish criteria for what constitutes as an in-scope vs out-of-scope vendor.
I've provided a list below to help enable you as you include those relevant third parties while excluding the others based on clear criteria:
In-Scope Third Parties
The third party or vendor directly provides a tangible product or service to your organization or customers
- There's a written agreement detailing the product or service, cost, responsibilities of both parties, and termination conditions
- Your organization directly influences and manages the relationship
- There are documented service level agreements related to the delivery and quality of the product or service
- Invoices are provided, reviewed for accuracy, and approved before payment
- The inherent risks or the dollars spent are significant and should be actively monitored and managed
Out -of-Scope Third Parties
- Government entities
- Payee relationships
- Travel and Entertainment
- Sponsorships and donations
- Public Utilities
- Industry group memberships
Note: Subscriptions are an excellent example an outlier because this category does not fall neatly into Either-Or approach.
Regarding social media companies, if you are merely subscribing to establish an online presence and your organization will create and monitor posts, then you can probably exclude them from your third-party risk management program. However, if you are purchasing data services or placing ads, then those third-parties should be in-scope for your program.
Hopefully this information facilitates your decision on whether to include social media companies into your program.
I'd be interested to hear what others think!
Original Message:
Sent: 02-22-2023 03:19 PM
From: Anonymous Member
Subject: Social Media
This message was posted by a user wishing to remain anonymous
I work for an FI should we include social media companies in our VMP? (Yelp, Goggle, etc.)