third parties with whom they share sensitive and confidential information.
Risk Tiering
A vendor who is accessing, transmitting, storing non-sensitive data solely within your environment may not pose the same level of risk as a vendor who is accessing, processing, transmitting and storing confidential information such as payment card or personal health information (PHI) in their data centre. In order to appropriately manage their vendor risk, organizations must cleanly separate their vendors into tiers through a determination process utilizing a set of well-defined criteria. At a high level, you should seek to determine:
- What is the business criticality of the service performed by the vendor?
- How would you classify the information the vendor have access to?
- How is the vendor accessing and transmitting the information?
- Will the service provided by the vendor enable the organisation satisfy a regulatory requirement?
- Where is the information being accessed by the vendor being stored?
- Has the vendor experienced a security breach in the last 24 months?
Classifying vendors by Tier so you can ask relevant questions during your security review process is a critical step in the vendor risk management program lifecycle. These tiers will ultimately assist in determining the level and frequency of due diligence required while directing stakeholders to an appropriate set of supporting risk practices and procedures.
yperochí promotes a platform that supports a 4-tier vendor classification system based on data access, network or physical access and business criticality.
Risk Tier 1
vendors will be classified as business and mission critical vendors that pose the greatest risk to overall security, privacy, and operations. Vendors in the tier 1 category will receive the most comprehensive advanced assessment. We expect to conduct rigorous inquiries into each of these vendors’ policies, procedures, and network architecture.
Risk Tier 2
vendors will be classified as high risk vendors. Vendors in the tier 2 category will receive a less exhaustive advanced assessment compared to the tier 1 assessment. The tier 2 assessment will still incorporate questions covering the main risk categories, but our main objective will be to identify vendors’ policies, procedures, and architecture.
Risk Tier 3
vendors will be classified as medium risk vendors. Vendors in the tier 3 category will receive a more focused advanced assessment compared to the tier 2 assessment. Even though these vendors lack the same business criticality as tier 1 and tier 2 vendors, it is still important to understand the controls in place designed to protect the company from risk.
Risk Tier 4
is an optional tier we may leverage for low tier vendors if this level of categorization is needed to maintain a full inventory of all vendors. These may include vendors that do not have access to sensitive information or connectivity to systems/networks.
As the definition of a vendor expands, companies need to thoughtfully review their comprehensive vendor lists. Managing third party risk is only as effective as the completeness of your assessment strategy. Make sure to consider the risks posed by all vendors within your ecosystem and develop an assessment approach to accommodate the full spectrum of these risks.