GRC Scope: The GRC process focuses internally on compliance and the overall cyber posture of IEHP. In scope are: • Risk appetite, tolerance, and capacity • Regulation obligation by regulator • Audit and assessment planning • Impact on controls applicability coverage • Authority records, gaps, and issues • Program wide issues summary • Security incident and injury management • Governance structure, roles, and responsibilities TPRM Scope: The third-party risk management process focuses externally on vendors and the cyber security impact they may bring to IEHP. In scope are: • Automated processes to screen all IEHP vendors annually to identify those critical vendors that could potentially expose IEHP data or its network and infrastructure to unauthorized access. • Administering automated in-depth security reviews to examine the security controls critical vendors have in place to mitigate their inherent risks to IEHP. Detailed scored risk reports for each vendor enable an apples-to-apples comparison between vendors to determine which vendors pose the highest risks to IEHP. • Triggers to automatically request annual security screenings and other processes. • Workflows that enable data gathering and sourcing for vendor information from the IEHP systems that store it, including Conga, Bonfire, Oracle and ServiceNow • Risk Registry to house all vendor scored risk reports, evidence, and related documentation. • Reporting and Dashboard to monitor the TPRM process.