Risk Assessments

 View Only
  • 1.  Vendors such as payroll or 401k provider

    This message was posted by a user wishing to remain anonymous
    Posted 01-10-2023 08:42 PM
    This message was posted by a user wishing to remain anonymous

    How do folks handle vendors like payroll or 401k providers - they have PII on employees, which would probably put them in a High Risk category.  But their impact on our business is minimal and would not impact clients (we are in financial services).   Would you tend to make this a High Risk, non-critical vendor?   What sorts of guidelines for review and frequency is typically used if so?


  • 2.  RE: Vendors such as payroll or 401k provider

    Posted 01-11-2023 02:39 PM
    We've tried to obtain due diligence info from several of our HR vendors (insurance, 401k, etc.) and most had nothing to provide.  Several told us they had never been asked for it before.  We do rate them high risk with a note that our HR staff reviews their info and proposals when our contracts renew.  HR vendors are the only ones we do this for.


  • 3.  RE: Vendors such as payroll or 401k provider

    Posted 01-11-2023 03:35 PM
    Yes - we have run into the same issue, where they act like they've never been asked to complete due diligence before and are unwilling to help us out in any way.  The latest effort with our new 401k provider, they were so kind as to supply me with a document.  One document.  And it was a flyer that serves as the General Privacy Statement they provide to their participants.  Not helpful in the least.  It's very irritating!


  • 4.  RE: Vendors such as payroll or 401k provider

    Posted 01-11-2023 04:40 PM

    I forgot to mention that some of these vendors already have industry-accepted certifications. For example, most insurance providers (Anthem, The Blues, etc.) will have a HITRUST certification or other types that are comprehensive in the testing of their compliance/security controls, policies, procedures, and their implementation. I would request those and leverage those as the "due diligence."

     

     

     



    NOTICE TO RECIPIENT | The information in this email may contain confidential, proprietary, or privileged information and is intended solely for the recipient. If you are not the intended recipient, do not use, rely on, disseminate, or copy this material. If you received this transmission in error, please immediately notify the sender and delete the transmission.






  • 5.  RE: Vendors such as payroll or 401k provider

    Posted 01-11-2023 04:45 PM

    Any benefit plan that is considered a HIPAA covered entity; 1) health plan, healthcare clearinghouse, or 3) healthcare provider is governed under the strict HIPAA standards. I would recommend that you use your Business Associate Agreement with the provider as evidence of your due diligence and point to the HIPAA regulations.

     

    Other benefit plans such as a 401K saving plan are governed under Gramm-Leach-Bliley Act which has its own audit and compliance standards that the service provider must meet. I suggest checking your Service Agreements or asking these providers to provide certification that they are covered under GLBA.

     

    Others such as agencies used to conduct applicant background screening are governed under the Fair Credit Reporting Act and along similar lines, I would ask those to certify that they are in compliance with FCRA.

     




    CONFIDENTIALITY WARNING: This email may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe that you have received this email in error, please notify the sender immediately and delete it from your system.





  • 6.  RE: Vendors such as payroll or 401k provider

    This message was posted by a user wishing to remain anonymous
    Posted 04-11-2023 09:09 PM
    This message was posted by a user wishing to remain anonymous

    Would you consider AFLAC as a benefit provider and should be risk rated either Critical or GLBA due to the vendor having access to NPPI? 

    This is one of our Inherent Risk rating questions and I'm struggling with how the question was answered by the vendor owner.  They are currently rated as a Low-Risk Vendor with the last answer being selected: 

    Does the vendor have access to confidential consumer data (NPPI)?

    1. Yes, the vendor frequently stores and transmits confidential consumer data.
    2. Yes, the vendor has access to confidential consumer data but the data is stored on our Bank's servers.
    3. Yes, the vendor has potential access to confidential consumer data, but the access is very infrequent, limited, and/or controlled.
    4. No, the vendor does not have access to confidential consumer data.



  • 7.  RE: Vendors such as payroll or 401k provider

    Posted 01-11-2023 04:39 PM

    We have been audited on this recently. Our auditors determined that there was not sufficient due diligence conducted and for insurance providers, there should be a Privacy Addendum that accompanies the contract. I imagine when the 401 vendor and other such vendors come up for renewal, we will do the same.

     

     



    NOTICE TO RECIPIENT | The information in this email may contain confidential, proprietary, or privileged information and is intended solely for the recipient. If you are not the intended recipient, do not use, rely on, disseminate, or copy this material. If you received this transmission in error, please immediately notify the sender and delete the transmission.






  • 8.  RE: Vendors such as payroll or 401k provider

    Posted 01-11-2023 07:50 PM
    Regarding Isabel's comment on privacy addenda...

    If your company has global operations which include the EU states, your legal / contracting teams would be best advised to have the vendor sign a Data Processing Addendum.  For instance, Infoblox is headquartered in the US, but we have employees around the globe, so when we share employee personal data (name, email, phone, location, IP address, or more sensitive data) with a vendor we require the DPA to be negotiated and signed. This includes our health insurance partners, payroll provider, wellness site, anything that processes the employee data. 

    We often get questions from our business units wondering why we need a DPA when we're working with a US Based company, but GDPR applies even for data collected and processed in the US, if it is about (living) EU persons. 

    As the owner of TPRM or vendor due diligence, you'll want to be familiar with these and similar compliance laws so that you can include them in your risk assessments.  Partner with Legal or Procurement to have the right skills to review, but be sure this work is completed and documented.

    PS - ping me sometime, Isabel!

    ------------------------------
    Kate Wakefield, CISSP / CIPT / CRISC
    Infoblox Director of GRC

    ------------------------------



  • 9.  RE: Vendors such as payroll or 401k provider

    Posted 01-11-2023 06:27 PM
    We utilize ADP for our Payroll Service.  ADP provides a SOC 1 Type 2 report for Workforce Now (our portal) and a SOC 2 Type 2 Report for its Technology Center. In addition, ADP provides COIs and other great due diligence materials.
    We utilize Fidelity for our 401K program.  Fidelity provides both a SOC 1 for its RecordKeeping and Investments Services and a SOC 1 Type 2 Report for its Technology Center. Fidelity is privately held but one of the largest providers of 401k services in the country.  Fidelity is also regulated by several federal agencies (brokerage, etc.)