IT Examiner School, Providence, RI

Ongoing Monitoring

• Management should establish a monitoring system and should complete regular reviews of the institution’s service providers. Some key things to consider: – Management should periodically rank service provider relationships according to risk to determine which service providers require closer monitoring. – Those service providers with higher risk ratings should receive more frequent and stringent ongoing monitoring. – Ongoing monitoring requirements should be clearly defined by be vendor risk rating within the institution’s vendor management policies.

Ongoing Monitoring

• Items to review include: – Financial, operational, and contract elements, such as: Information Security, Performance/SLA monitoring, Disaster Recovery/Business Continuity Planning, Audit reports, Financial Viability, Cybersecurity, etc. – Although financial impact (spend) should be considered in the vendor risk rating and ongoing monitoring requirements, it should not be the sole factor. For example, a very low dollar value vendor may have minimal financial impact or may be easily replaced; however, if the vendor has access to non-public information such as customer data, then the relationship would be considered higher risk.