Skip to main content


Vendor Management: How Should I Categorize My Vendors?

Vendor Management: How Should I Categorize My Vendors?

Think about the average user in your organization. What percentage of the time are they using a third-party vendor’s product or service? How much of your day-to-day work is performed using at least partially outsourced products and services? From the vendor that supplies our hardware and networking equipment, to the operating system on each PC, to the additional software installed on workstations and servers, to the vendor that supports the software, a third-party vendor is potentially involved every step of the way.

Today, nearly every possible business function can potentially be outsourced and hosted as a cloud-based service. In addition, there is increased pressure for risk management regarding how your confidential customer information is secured, which now could potentially be stored in the cloud (i.e., now under another organization’s control). Finally, there is a regulatory and/or compliance presence in some industries that necessitates certain risk management procedures and documentation.

With so many vendors involved in your operations, any critical function or informational asset in your organization could be at least partially dependent on the regular, secure, and consistent operation of a particular third-party vendor’s product or service. Maintaining an efficient vendor management program is a necessity for a responsible organization’s understanding of outsourcing risk. Your vendor management program can be a headache or an asset, depending on how effectively you manage it.


Vendor Management Issues

Several common issues frequently arise with vendor risk assessments, mostly related to efficiency and consistency. These types of problems could cause you to spend much more time on vendor management than is reasonable:

  • You may be risk assessing too many vendors too frequently. If you risk-assess more than several hundred vendors, chances are your criteria for vendor risk is too wide-reaching.
  • You might struggle with how to define critical/high-priority vendors, resulting in too many (e.g. 20) “critical” vendors.
  • You might have inconsistent categorization metrics, meaning multiple individuals are working on the vendor risk assessment, each following their own methods, resulting in different risk pictures based on who performs the risk assessment.
  • You could be unsure of where to start or confused about how to manage vendors, unclear about how to review the multitude of documents, or lost in the sea of regulation and guidance.


Build a Consistent Vendor Categorization Process

The good news is that there are several strategies you can employ to optimize your vendor management program.

First and foremost, you need to start with your risk assessment. You usually want to risk rate any vendors that are providing products or services that may interface with customer or sensitive information, in addition to any vendors with whom you have a current or recurring formal contract or agreement.

Please note you do not have to review every single vendor. If you are risk rating an office supply company that supplies paper clips but has no access of any kind to your organization’s facilities or information, you’re most likely not utilizing your time in the best manner.

Once you have inventoried your vendors for risk assessment, the next step is to categorize them by criticality. SBS Cybersecurity’s TRAC Third Party Management module utilizes the following metrics to prioritize vendors (assigning a High/Medium/Low value for each metric per vendor):

  • Confidentiality of Information
  • Access to Customer Information
  • Availability
  • Assets Associated/Volume

After a vendor is rated using this system, it is placed into a vendor category which defines the amount of scrutiny and level of due diligence performed for that particular vendor’s product/service.

Here are some example categories you might utilize in your risk assessment:

  • Level 1 – Critical (Example: a core provider or host, who is both responsible for private/customer information, and is vital to the operation of your organization)
  • Level 2 – Significant (Example: a networking consultant who is responsible for maintaining the internal network, which is important for operations, but only has intermittent access to some private information)
  • Level 3 - Non-Essential (Example: an office supplies vendor who never has direct access to your organization’s facilities or information)

Please note that it is essential to clearly define each metric, and more specifically, what each value means to each metric. Consistency with definitions is critical to the completion of a valuable vendor risk assessment, as numerous different individuals or entities across the organization will be providing input. For example, a “High” Availability rating might mean “Service or support disruptions would result in extreme impact to the institution.” A “Low” Availability rating might then mean “Service or support disruptions would result in minimal impact to the institution.”

Using the same metrics to risk rate each of your vendors will ensure that you have a consistent risk assessment. For example, using the above rating system, a cleaning vendor with no access to private information would rate a Low in each of the above metrics, placing it into the Level 3/non-essential category. Alternatively, a core system vendor might have a High rating on each of the 4 metrics; Confidentiality of Information (since it stores customer information), Access to Customer Information (since the vendor can directly access and modify this information), Availability (as this vendor’s service/product is critical to operations), and Assets Associated/Volume (as the vendor either supplies multiple services/products for the organization, or processes an extremely large/crucial amount of information). These factors would place the vendor into a Level 1/critical category, resulting in a defined review of the above information, but in addition any relevant due diligence documentation particular to critical vendors.


Scale Your Vendor Reviews Based on Importance

Note that the average organization typically has only 3 to 8 truly critical vendors. Having a large number of vendors identified as “critical” (e.g. 20) could indicate the rating system is skewed towards rating vendors higher in criticality than is reasonable or manageable.

One of the biggest efficiency gains in vendor management to scale your review requirements for higher risk vendors regarding documentation review. The more important and critical the vendor, the more documentation you should review. Documents that should be requested of your most critical vendors include:

  1. Audited Financials
  2. Insurance Coverage
  3. Business Continuity Plan
  4. Incident Response Plan
  5. BCP/DR Testing Results
  6. SOC Audit Report
  7. SOC GAP Letter
  8. Penetration Test Results
  9. Vulnerability Assessment Results
  10. IT Audit Results
  11. Other IT or IS Assessment Results
  12. Contract Documentation

Conversely, the less important and critical the vendor, the less you need to review. Vendors in the non-critical category would be subject to less required documentation requirements and a less in-depth review of any relevant documentation, whether that includes contract documentation, non-disclosure agreements, or any other relevant details.

Naturally, it is important to ensure these metrics are consistently applied to vendors across your management program, both in risk assessments. If metrics are inconsistently applied, it could mean you’ll be spending valuable time reviewing unimportant information for a vendor that is not that critical to your organization’s operations, and vice versa.


Keep It Simple

Everyone has similar problems with vendor management, but there are several ways to make vendor management easier and more palatable. After reviewing all the information provided, there are several things to take to heart that will greatly improve the efficiency of your vendor management processes:

  • Scale your requirements based on criticality, don’t do extra work and burn yourself out on low-risk vendors
  • Almost ALL small/medium-sized organizations have 3-8 critical vendors (If you have more, then you’re probably over-rating your vendors’ criticality)
  • Focus on repeatability/consistency with your review processes, including your risk assessments and review procedures


Written by: Dan Klosterman
Information Security Consultant, SBS CyberSecurity, LLC


SBS Resources:

If you are looking for assistance with Vendor Management, SBS can help in a few different ways.

  • {Solution} TRAC: One of the core modules of our TRAC software is our Vendor Management module, which can help you easily and more efficiently perform vendor risk assessment, vendor selection, and ongoing vendor management. It provides you with a consistent, pre-defined vendor management process, including vendor types, question sets, the ability to categorize different levels of vendor, and customizable, one-click reporting.
  • {Service} Vendor Management: SBS can perform vendor management around your critical vendors, saving you the time and effort to gather information from these vendors, review and analyze the vendor’s documentation, and create reports around your findings. We can streamline your process by doing all that work for you, then providing you the results in an easy-to-understand format.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, May 3, 2019
Categories: Blog