Skip to content
Close
SEARCH
Contact Us
Contact Us
Advisory Services
Auditing
Cybersecurity Testing
TRAC-Logo
 

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

Learn More
Schedule a Live Demo
TRAC Modules
Other Products

Logo_Institute

Uniquely dedicated to delivering industry-leading, quality education that instills confidence and empowers you to take security into your own hands.

Certifications
Membership
Certifications for Managers
Certifications for Executives
Technical Certifications
Webinars
Speaking Engagements
Resources
Who We Are
Why Choose SBS?
Blog_HeaderGradients-11
SBS CyberSecurityMay 09, 20196 min read

Vendor Classification & Management: How Should You Categorize Your Vendors?

Vendor Classification & Management: How Should You Categorize Your Vendors?
8:22

Think about the average user in your organization. What percentage of the time are they using a third-party vendor’s product or service? How much of their day-to-day work is performed using at least partially outsourced products and services?

From the vendor that supplies your hardware and networking equipment to the operating system on each PC to the additional software installed on workstations and servers to the vendor that supports the software, a third-party vendor is potentially involved every step of the way.

Today, nearly every possible business function can potentially be outsourced and hosted as a cloud-based service. In addition, there is increased pressure for risk management regarding how your confidential customer information is secured, which could potentially be stored in the cloud (i.e., now under another organization’s control). Finally, there is a regulatory and/or compliance presence in some industries that necessitates certain risk management procedures and documentation.

With so many vendors involved in your operations, any critical function or informational asset could be at least partially dependent on the regular, secure, and consistent operation of a third-party vendor’s product or service.

Maintaining an efficient vendor management program is a necessity for a responsible organization’s understanding of outsourcing risk.

Your vendor management program can be a headache or an asset, depending on how effectively you manage it.

 

HeadacheOrAsset

 

Common Issues with Vendor Management

Several common issues frequently arise with vendor risk assessments, mostly related to efficiency and consistency. These types of problems could cause you to spend much more time on vendor management than is reasonable:

  • You may be risk assessing too many vendors too frequently. If you risk-assess more than several hundred vendors, chances are your criteria for vendor risk is too wide-reaching.
  • You might struggle with how to define critical/high-priority vendors, resulting in too many (e.g. 20) “critical” vendors.
  • You might have inconsistent categorization metrics, meaning multiple individuals are working on the vendor risk assessment, each following their own methods. This results in different risk pictures based on who performs the risk assessment.
  • You could be unsure of where to start, confused about how to manage vendors, unclear about how to review the multitude of documents, or lost in the sea of regulation and guidance.

 

Build a Consistent Vendor Categorization Process

The good news is that there are several strategies you can employ to optimize your vendor management program.

First and foremost, you need to start with your risk assessment. You usually want to risk rate any vendors that are providing products or services that may interface with customer or sensitive information, in addition to any vendors with whom you have a current or recurring formal contract or agreement.

Please note you do not have to review every single vendor. If you are risk rating an office supply company that supplies paper clips but has no access of any kind to your organization’s facilities or information, you’re most likely not utilizing your time in the best manner.

Once you have inventoried your vendors for risk assessment, the next step is to categorize them by criticality. The TRAC Vendor module utilizes the following metrics to prioritize vendors (assigning a High/Medium/Low value for each metric per vendor):

  • Confidentiality of Information
  • Access to Customer Information
  • Availability
  • Assets Associated/Volume

 

TRAC: Frustration-Free Risk Management Simplify risk assessments, vendor management, business continuity management, and other critical cybersecurity risk management tasks.  

 


After a vendor is rated using this system, it is placed into a vendor category, which defines the amount of scrutiny and level of due diligence performed for that particular vendor’s product/service.

Here are some example categories you might utilize in your risk assessment:

  • Level 1 – Critical (Example: a core provider or host who is both responsible for private/customer information and is vital to the operation of your organization)
  • Level 2 – Significant (Example: a networking consultant who is responsible for maintaining the internal network, which is important for operations but only has intermittent access to some private information)
  • Level 3 - Non-Essential (Example: an office supplies vendor who never has direct access to your organization’s facilities or information)


Please note that it is essential to define each metric clearly and, more specifically, what each value means to each metric. Consistency with definitions is critical to the completion of a valuable vendor risk assessment, as numerous different individuals or entities across the organization will be providing input.

 

Rating Definition Example:

A “High” Availability rating might mean “Service or support disruptions would result in extreme impact to the institution.” A “Low” Availability rating might then mean “Service or support disruptions would result in minimal impact to the institution.”

 

Rating System Example:

Using the above rating system, a cleaning vendor with no access to private information would rate a "Low" in each of the four metrics above, placing it in the Level 3 - Non-Essential category.

Alternatively, a core system vendor might have a "High" rating on each of the four metrics:

  • Confidentiality of Information - stores customer information
  • Access to Customer Information - can directly access and modify this information
  • Availability - service/product is critical to operations
  • Assets Associated/Volume - either supplies multiple services/products for the organization or processes an extremely large/crucial amount of information
 
These factors would place the vendor into a Level 1 - Critical category, resulting in a defined review of the above information, as well as any relevant due diligence documentation particular to critical vendors.

 

Scale Your Vendor Reviews Based on Importance

The average organization typically only has three to eight truly critical vendors. A large number of vendors identified as critical (e.g., 20) could indicate that the rating system is skewed toward rating vendors higher in criticality than is reasonable or manageable.

One of the biggest efficiency gains in vendor management is to scale your review requirements for higher-risk vendors regarding documentation review. The more important and critical the vendor, the more documentation you should review.

Documents that should be requested of your most critical vendors include:

  • Audited Financials
  • Insurance Coverage
  • Business Continuity Plan
  • Incident Response Plan
  • BCP/DR Testing Results
  • SOC Audit Report
  • SOC GAP Letter
  • Penetration Test Results
  • Vulnerability Assessment Results
  • IT Audit Results
  • Other IT or IS Assessment Results
  • Contract Documentation

 

Conversely, the less important and critical the vendor, the less you need to review. Vendors in the non-critical category would be subject to less required documentation requirements and a less in-depth review of any relevant documentation, whether that includes contract documentation, non-disclosure agreements, or any other relevant details.

Naturally, it is important to ensure these metrics are consistently applied to vendors across your management program. If metrics are inconsistently applied, it could mean you’ll be spending valuable time reviewing unimportant information for a vendor that is not that critical to your organization’s operations, and vice versa.

 

Keep It Simple

Everyone has similar problems with vendor management, but there are ways to make it easier and more palatable. After reviewing all the information provided, there are several things to take to heart that will greatly improve the efficiency of your vendor management processes:

  • Scale your requirements based on criticality; don’t do extra work and burn yourself out on low-risk vendors.
  • Almost ALL small/medium-sized organizations have 3-8 critical vendors (If you have more, then you’re probably over-rating your vendors’ criticality).
  • Focus on repeatability/consistency with your review processes, including your risk assessments and review procedures.

 

Blog_Lock&Line-Gray

How Can SBS Help?

As your organization grows and incorporates more vendor relationships, the need for a strong vendor management program also grows.

Ensure your vendor management program is an asset, not a headache, by partnering with SBS!
Learn More

Blog_Lock&Line-Gray

 

RELATED ARTICLES