Regarding Isabel's comment on privacy addenda...
If your company has global operations which include the EU states, your legal / contracting teams would be best advised to have the vendor sign a Data Processing Addendum. For instance, Infoblox is headquartered in the US, but we have employees around the globe, so when we share employee personal data (name, email, phone, location, IP address, or more sensitive data) with a vendor we require the DPA to be negotiated and signed. This includes our health insurance partners, payroll provider, wellness site, anything that processes the employee data.
We often get questions from our business units wondering why we need a DPA when we're working with a US Based company, but GDPR applies even for data collected and processed in the US, if it is about (living) EU persons.
As the owner of TPRM or vendor due diligence, you'll want to be familiar with these and similar compliance laws so that you can include them in your risk assessments. Partner with Legal or Procurement to have the right skills to review, but be sure this work is completed and documented.
PS - ping me sometime, Isabel!
------------------------------
Kate Wakefield, CISSP / CIPT / CRISC
Infoblox Director of GRC
------------------------------
Original Message:
Sent: 01-11-2023 03:06 PM
From: ISABEL GUERRERO
Subject: Vendors such as payroll or 401k provider
We have been audited on this recently. Our auditors determined that there was not sufficient due diligence conducted and for insurance providers, there should be a Privacy Addendum that accompanies the contract. I imagine when the 401 vendor and other such vendors come up for renewal, we will do the same.
NOTICE TO RECIPIENT | The information in this email may contain confidential, proprietary, or privileged information and is intended solely for the recipient. If you are not the intended recipient, do not use, rely on, disseminate, or copy this material. If you received this transmission in error, please immediately notify the sender and delete the transmission.
Original Message:
Sent: 1/11/2023 2:39:00 PM
From: Kathy Volkmann
Subject: RE: Vendors such as payroll or 401k provider
We've tried to obtain due diligence info from several of our HR vendors (insurance, 401k, etc.) and most had nothing to provide. Several told us they had never been asked for it before. We do rate them high risk with a note that our HR staff reviews their info and proposals when our contracts renew. HR vendors are the only ones we do this for.
Original Message:
Sent: 01-10-2023 05:04 PM
From: Anonymous Member
Subject: Vendors such as payroll or 401k provider
This message was posted by a user wishing to remain anonymous
How do folks handle vendors like payroll or 401k providers - they have PII on employees, which would probably put them in a High Risk category. But their impact on our business is minimal and would not impact clients (we are in financial services). Would you tend to make this a High Risk, non-critical vendor? What sorts of guidelines for review and frequency is typically used if so?