Notes from the Field: CIS Control 15 – Service Provider Management 

by Greg Halpin / March 7, 2024

The client I was conducting a gap analysis for had an incredibly detailed Service Provider Management Policy. It required the company compliance team to conduct due diligence on all prospective service providers, including a risk analysis of each. The policy required the compliance team to review the prospective vendor's SOC 2 audit report and research the vendor's financial stability and reputation. The compliance team was to conduct annual reviews of…

Vendor Compliance Management: Carve-Out vs Inclusive Method

by Joseph Kirkpatrick / July 12, 2023

Vendor Compliance Management As you’re preparing your service organization for a SOC 1 audit, you want to identify who your third parties or vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Any control that governs the vendors you utilize will be reviewed in a SOC 1 engagement. Your vendors might include a data center, an application service provider, a managed IT provider, or…

Vendor Compliance Management Series: Performing an Effective Risk Assessment

by Sarah Harvey / November 17, 2023

Vendors and Risk Assessments Are you looking to find out more about how to ensure that your organization is meeting vendor compliance management requirements? This webinar provides an overview of ways that you can ensure that your organization is performing an effective risk assessment. In this webinar, Joseph Kirkpatrick introduces and gives an overview of external guidance’s that may serve to be potentially useful for your organization to establish or…

Vendor Compliance Management Series: Where To Start?

by Sarah Harvey / November 20, 2023

What’s Changed? There needs to be a full chain of custody as the CFPB expects you to “oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law….” For example, if you have “any person (i.e. service provider) that provides a material service to a covered person (i.e. you) in connection with the offering or provision by such covered person of a consumer…