SANKET SUNIL BADVE

Conducted Vendor Risk Management for the IT and non-IT vendors from information security. ➢ Annual assessments of existing vendors and onboarding assessments of new vendors are performed. ➢ Vendors are auto-categorized from Tier 1 to Tier 5 (1 is critical, and 5 is low) based on their services and access to the organization's data. The head of the team will assign the vendors to the assessor. ➢ At the time of assessment, the assessor informs the internal business team and vendor SPOC about the assessment to gather evidence or supporting documents such as the ISO 27001 Statement of Applicability and Certificate, SOC 2 Based on the current assets and liabilities of vendors, if they fall under the high-risk category, the business team will be informed. ➢ reports, BCP and DR plan and their test reports, PCI DSS AOC, External VAPT report ➢ The vendor submits a response to the questionnaire on a web-based tool and a set of mandatory documents over email. The Risk management tool highlights the identified findings that are identified based on responses to the questionnaire. ➢ As an assessor, we'll check for false positive findings, add our comments, and describe how those are not real findings or not applicable. ➢ All the records of evidence validations are managed and maintained in the web-based internal tool, i.e., the Risk Management Information System tool. ➢ After reviewing the documents and their results, they are archived on the RMIS tools along with actual evidence and their related information such as the scope of the documents, organization name, issue date, expiry date, issuer organization name, etc. ➢ After successful completion of the assessment vendor and business team are to be informed about their status and result.

Performed Third Party Risk Assessments and due diligence for new onboarding and existing annual vendors from an information security perspective and financial perspective ➢ Validate ISO 27001-based controls during the assessment ➢ Conduct Kick-off calls with vendors and understand their project scope, delivery model (Access, Process, Store, View), and data flow (Collect, Use, Disclose, Store, Dispose) ➢ Define the scope and applicability of information security domains ➢ Use a defined questionnaire as a baseline that covers the questions based on Information Security Organization, Human Resource Security, Asset and Data Management, Access Control, Cryptography, Physical and Environmental Security, DLP, Network and Firewall, SDLC, Cloud Security, Information Security and Incident Management, Business Continuity and Disaster Recover, SOC 2 reports, BCP DR plan and their test reports, PCI DSS AOC, External VAPT report, balance sheet, P&L statement, insurance copies ➢ Using the internal web-based Risk management tool, worldwide vendors are assessed and onboarded in the stipulated period ➢ Explain the default audit or assessment timelines to the vendors ➢ Understand the vendor environment from an information security perspective ➢ Calculate risk ratings such as Critical, High, Medium, Low, and Observation based on Impact and Likelihood ➢ Drafting follow-up questions and chasing auditees to receive the responses within the defined time ➢ Drafting and releasing a List of Findings and Final Risk Report including issue descriptions, mitigating factors, recommendations, etc.