Prioritizing The Evaluation of Your Vendors by Risk
PRIORITIZING THE EVALUATION OF YOUR VENDORS BY RISK
Even the largest companies have limited resources. The best way to be efficient with your resources in assessing the security posture of your suppliers is to prioritize your vendors based on risk and apply the appropriate amount of scrutiny. It helps to have a data classification policy that defines the risk level of data (ie. high, medium, or low).
Consider the following to establish standards for risk classifications based on your company’s risk tolerance:
1. What control domains do you need to evaluate?
Determine which of policies and controls must be adhered to by the vendor. Some companies have set policies and defined control that they wish to ensure vendor adherence within a mature risk program, yet others measure their vendors again industry standards and best practices. Keep in mind that some resource within your company must have the expertise to analyze the response from vendors and work to satisfactorily resolve any issues.
2. Which vendors need to be evaluated?
Identify the relevant list of vendors and classify them by inherent risk to your business. (Knowing Who Your Vendors Are). A common question is "Do I need to evaluate ALL my vendors?" The answer is up to each company according to their risk tolerance and resources, but some companies choose to accept the inherent risk of lower risk vendors without assessments or questionnaires because of limited resources and capabilities. Knowing who your vendors are, what risk they present, and having a documented process for determining whether they need evaluation is necessary.
3. To what extent each of these vendors need to be evaluated?
Find suitable questions that adequately attest to the relevant controls according to the risk the vendor presents to you. Higher risk vendors should be subjected to higher scrutiny, but lower risk vendors can be subject to less scrutiny. Knowing the inherent risk level is important in determining the effort required and justifying your policy.
The first step in prioritizing your vendors is understanding who they are
and what they do. Consider the following when determining the inherent risk of a third party:
- To what type of data do they have access? Is it highly sensitive personal data? (i.e. data classification)
- To what systems do they have access and what is that method of access?
- What is the importance of their service to you? How important is availability?
Being efficient with your resources involves knowing which of your vendors needs to be evaluated. If a third party has a low inherent risk, then they may not need to be assessed at all. Put a good plan for assessing your vendors in place, and you’ll be able to justify it.
