Have you created a vendor assessment questionnaire that is specific to consultants and integrators that only have either limited access, time-bound access that is controlled, or no access but are involved with designs, data, or exposed to sensitive information? I am looking to streamline my TPRM questionnaire for consultants and integrators.  I've used the SIG and SIG lite, and used the SIG Manager to customize the domains. Not all questions that you can ask in an assessment are equal when you take the details of access and exposure into account.  I want to have a specific set of questions to help us really assess the risk for this type of vendor. 

Process ManagementSecurity & GRC
5.2k viewscircle icon2 Comments
Sort by:
Chief Technology Officer in Media2 years ago

Prioritize questions about the duration and scope of access, the nature of sensitive data exposure, and specific security protocols implemented during their involvement, ensuring a targeted and effective risk assessment tailored to their unique roles and responsibilities.

Director of Systems Operations in Healthcare and Biotech2 years ago

Sounds like you are on the right track, but depending on the industry, and location additional criteria may need to be set. But in general when trying to really address vendor risk, questions about what systems utilized, their onboarding / offboarding process, location of sub vendors, as well as what certifications they have and how they audit themselves are always good questions to include. 

Content you might like

Software ☠️ Piracy?!

Applications & PlatformsSecurity & GRC

FORBIDDEN - could cost your job49%

HIDDEN - some users install in secret43%

COMMON - users openly pirate software5%

SYSTEMIC - Default software installed is pirated2%

View Results
1.5k viewscircle icon3 Upvotescircle icon1 Comment

Is there any element of your IT vendor management strategy that you think is pretty clever or has served you especially well?

Process ManagementVendor Management+3 more
CIO in Governmenta year ago
A formal vendor/account management framework is beneficial. Helps to categorise your vendors (gold, silver, bronze) depending on the nature of the service they provide, cost, criticality etc. This helps to determine the level ...read more
Read More Comments
3.3k viewscircle icon3 Comments

What methodologies or frameworks (like NIST CSF, CMMC, etc.) are you using to assess and track your cybersecurity maturity level?

Security & GRCStrategy & Architecture+7 more
Data Scientist in Consumer Goods2 years ago

we use CSF to assess and track cybersecurity maturity level

1
Read More Comments
71.2k viewscircle icon24 Upvotescircle icon89 Comments

Does your organization provide privacy or other security training to employees using an internal or external resource? 

How often do employees need to attend either of the two training types? 

Security & GRC
Director Certifications in Education6 years ago
Best practices would be to provide security awareness training annually, which will include privacy data awareness and protection. Many organizations would have outside experts provide this training. However, well run organizations ...read more
2
Read More Comments
7.8k viewscircle icon4 Upvotescircle icon7 Comments

If you deal with physical security in your role, what lifecycle management process do you currently use?

Security & GRCDevice Management

Asset management tool29%

Facilities inventory system51%

Excel or manual process15%

None3%

View Results
3.8k views