/
Inherent Risk Questionnaire Questions (2025)

Inherent Risk Questionnaire Questions (2025)

Owned by Smith, Victoria E.
Dec 30, 2024
2 min read

This might be a useful resource to look at before vetting a vendor so you’re already thinking about what information we need from them.

 

  1. Vendor Information
    1.1 Name of vendor.
    1.2 Vendor physical address.
    1.3 Do you currently have a vendor point of contact for the vendor/product?
    1.3.1 Please provide their contact information (email/phone number).
    1.4 Who is your agency point of contact for this vendor/product?
    1.5 Vendor URL.
    1.6 Product type.
    1.7 Product category.

  2. Types of Service and Business Need
    2.1 Please describe the type of service or product this vendor will be offering.
    2.2 What specific challenges or problems are you aiming to address with the vendor’s product or service?
    2.3 What are the anticipated benefits or improvements?
    2.4 What business processes rely on this system/service?
    2.5 How does the system support critical business functions?
    2.6 Will the vendor’s product or service directly interact with the public?

  3. Data Types
    3.1 What types of data are processed or stored by this system (financial, personally identifiable information, intellectual property)?
    3.2 Does this system handle any regulated data that requires compliance (GDPR, HIPAA, PCI DSS)?
    3.2.1 Please provide supporting documentation.

  4. Data Storage
    4.1 What country will the data be stored in?
    4.2 What method of data storage is used (data centers, cloud regions)?

  5. Integration
    5.1 Will this product or service connect with any application and or website already in use at FCDC and other agencies?
    5.1.1 Please specify the applications and/or websites.
    5.2 Will the vendor require access to our internal systems or networks?
    5.2.1 If yes, please describe the level and access required.
    5.3 Will the vendor have users that need to access our domain?
    5.4 What will they need access to?
    5.5 How many users will need access to our domain?
    5.6 How long will these users need access to our domain?

  6. Business Continuity
    6.1 If the vendor’s services were to be unavailable for 24 hours, how would that impact your business operations?
    6.2 What would the immediate and long-term effects be if this system were unavailable?
    6.3 What are your contingency plans in the events of a disruption (natural disaster, system outage) that affects stored data?
    6.4 Are there any manual workarounds in place if this system goes down?

  7. Miscellaneous Questions
    7.1 Are there any unique risks associated with this vendor or their product/service that have not been covered?
    7.2 Can the vendor provide additional documentation, such as security certifications, audit reports, or compliance attestations?

FCDC Help Desk | helpdesk@franklincountyohio.gov | 614-525-3282