Third Party Vendor Relations
Frequently Asked Questions
Vendor Risk Management Portal
- You must change your password upon the first log in
- You will have the option to change your username after the first log in
- Note: Your username is initially auto generated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.
- Note: Multi-factor authentication (MFA) will be required.
The primary vendor contact from your company can add additional contacts in the vendor portal as needed.
- Vendor portal notifications
All vendors are in scope for an inherent risk questionnaire (IRQ). Based on the results of the IRQ, some vendors may require additional risk assessments. Some services which are identified as low risk, may not require a detailed assessment.
The TPRM team will schedule a kick off meeting with you at the onset of a new engagement. During this time, assessment activities and timelines will be communicated to you. The goal is not to exceed 90 calendar days.
- Assessment Work
- Meetings and Analysis
- Engagement Closure
- Continuous Monitoring
- Customer Content Data
- Customer Data
- Employee Data
- Prospective Employee Data
- Event Logs
- Configuration Data
- Meeting Metadata
Risk assessments are advisory and assessment services related to regulatory compliance or information security. The goal is to provide guidance to project teams and leadership to manage technology risk introduced by new solutions.
- Inherent Risk Questionnaire (IRQ)
- Due diligence risk assessments to be conducted by Subject Matter Expert (SME) Teams which may include Third Party Risk Management, Privacy, Compliance, IT, Security Architecture, Offensive Security, or Open Source Security.
The IRQ consists of questions about the vendor service that are used to determine the potential risk posed to Zoom and the inherent risk tier.
An inherent risk tier refers to the potential risk an engagement presents to Zoom before any controls are applied or taken into account. The risk tier is measured on a scale of low, medium, and high. The inherent risk tier is the driving factor in determining what risk assessment work is required.
- IRQs are required for any new vendor engagement.
- Risk assessment requirements are based on inherent risk tier.
- Below are the general timelines that will be followed for continuous monitoring:
- Critical: Annual
- High: Annual to Biennial
- Medium: Biennial to Triennial
- Low: Ad Hoc
- If any security issues are identified, the Zoom business owner is responsible for ensuring that the vendor provides a risk response plan for the issue and may incorporate the plan into legal agreements as needed.
- Risk response plans may include remediation or acceptance of the issues.
- The incident can be reported by reaching out directly to your Zoom Vendor Manager or emailing TPRM (email@example.com).
- Be sure to include:
- Incident Date
- Vendor Name
- Product/Application Name (if applicable)
- Zoom Contact(s) Notified
- Associated PO (if applicable/available)
- Summary of the Incident