My thought would be to assess whether or not the vendor risk assessment
plays any role in a potential breach of contract. Let's say a vendor has a
security risk assessed and the vendor promises a risk mitigation plan,
which a subsequent audit finds deficient or non-existent. The contract says
that the vendor has a curative period to remediate the issue, but the
vendor is only allowed X number of deficiencies over the term of the
contract or the contract can be terminated for cause. In that instance, I
would expect that the retention of the risk assessment would need to be
maintained for the life of the contract.

Even if that isn't the case, I think there is some value in maintaining the
history of the risk assessments for the life of the contract. I've seen
situations where a couple years down the road, an issue arises and everyone
walks around saying, "Didn't we address this already?" Or, "How did they
fix this before?" I think they can provide potential leverage with the
vendor if you can point to multiple failures over time, particularly for
the same or similar issues.

Patrick Cunningham, CISM, FAI

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]