Hi,
We're currently updating our vendor management processes to ensure industry best-practices with compliance and third-party oversight standards. As part of this effort, we are asking that all our current vendors provide us with their most recent TPO or due diligence packet, inclusive of the following documentation:
-
Most recent financial information -
Certificate of insurance -
Most recent SOC/SOC II report -
Overview of security program answering the below questions: * What are the hiring/termination standards (background check, security training, etc.)? * What are the Vendor’s policies regarding user identification and password access, authenticating, access rights and authority levels? * What does the Vendor have in place to protect physical security (card access systems, alarms, etc.)? * What security is in place to protect the network (i.e., firewall)? * Is testing completed externally and/or internally? Is so, describe. * What redundancies does the Vendor have built into their systems? * How often is testing completed (vulnerability scans, penetration, etc.)? * How does the Vendor handle data in transit and at rest? Is this defined in contract? * Does the Vendor have an Incident Response Plan? Does it define the notification process to Kikoff? * Does the Vendor have a Cyber Security Plan? Is so, describe. * Does the Vendor have a Privacy Policy? How does the Vendor enforce compliance with GLBA?
Thank you in advance for your support and assistance in this effort!
Best,
Jon