Virtual Cyber & Technology Risk Management Forum

1. Inventory Your Vendors o Many institutions start with the Accounts Payable list o Note : not all the vendors on the Accounts Payable list need to be managed going forward 2. Determine Protection Profile (importance) 3. Identify Threats to your Institution from that vendor 4. Protection Profile x Threats = Inherent Risk 5. Determine Mitigating Controls o Contract Review Questions o Due Diligence Questions 6. Inherent Risk – Mitigating Controls = Residual Risk Where to Start with Vendor RA?

© 2020 SBS CyberSecurity, LLC www.sbscyber.com

21