Due Diligence and Ongoing Monitoring

Hi,

Here are some suggestions I wanted to share with you regarding Work from Home (WFH) capabilities.  I would first make sure the vendors that you're examining are providing services that are in scope – meaning those that require human activity (as opposed to system operations only).  This will enable the right population of vendors to be examined.

Preliminary questions to consider:

• Inherent risk:  First, make sure that people are involved (staff availability) and that people affect operations.
• BC Tests:  WFH tests for VPN, virtual desktop that are involved in Business Continuity plans and test specifically for WFH.
• Contract clauses: Business Continuity should be specifically listed, but the WFH clauses may not be. However, the WFH functionality may be available.  Contractually, a vendor may have Cyber risk captured in their provisions for Business Continuity (operational availability).  This would encompass system availability.  Look at the contract's BC language.
• Does a vendor have BC controls for validation?

Here are some thoughts regarding my approach to Vendor WFH oversight, specifically for Due Diligence and Ongoing Monitoring:

 Policy

• Request a vendor's policy and program documentation regarding their WFH program.

 Information Security

• Does a vendor have a WFH notification/escalation system for the employees if the system were to go down?
• Is there a formalized work around process?  These are helpful to ensure management has considered incidents like this off company premises.

Access Management

• Request documentation as evidence (screenshots, lists, flowcharts) of a vendor's implementation and ongoing monitoring of their WFH policies.

 I hope you find this helpful, but I'd love to hear what other members are doing as well.