We have described some common due diligence efforts: Intake, Ongoing, and On‐site assessments, which are point‐in‐time due diligence activities. In normal circumstances at KC Enterprises, a high‐risk vendor has a physical on‐site assessment only once a year, which leaves the rest of the 364 days for something to go wrong. It is not that KC expects a vendor to undo any security controls once an evaluation is completed; the concern is that a lot can happen in those days between the point‐in‐time appraisals. The development of a Continuous Monitoring (CM) program was a logical next step for finding ways to engage with vendors when risks were observed between normal visits.

What Is Continuous Monitoring?

KC's Cybersecurity team developed this program around the concept that they would be like a team of cyber threat analysts. Their roles contrast with the roles of the other analysts from other parts of the Cyber Third‐Party Risk team. Cyber threat analysts are trained to look for cyber risks internally at most companies, and are trained to look externally at vendors for the same risks. This may require an additional set of tools because KC cannot run scans or vulnerability tests against vendors directly. Let's look at the tools used as we discuss how the team performs its actions.