What level of cyber due diligence (vendor security assessment) do you feel is appropriate for vendors/suppliers that are considered in the low tier. For example lets say you have your vendors tiered as critical, high, med, low tier. Those critical, high and med might necessitate being sent a questionnaire to complete.....but what level of assessment are folks performing for the low tier vendors? Appreciate any insights as to what different approaches people are taking to perform light assessments for these low tier vendors.

2.2k viewscircle icon1 Upvotecircle icon3 Comments
Sort by:
Deputy CISO in Energy and Utilitiesa year ago

Recommend looking at past and current breach history.  Even low risk providers can bring reputational harm to an organization, increased email-based campaigns, BEC, especially if they're in or recently recovered from an event.  Also, would encourage you to work with other teams such as procurement, sourcing, and/or legal to ensure that a supplier stays low risk as new engagements with an existing provider can escalate their tier and it often go unnoticed.

Information Security Manager in Healthcare and Biotecha year ago

We Tier our vendors 1 through 4.  Tiers 1 and 2 deal with PHI/PII so they are required to complete security questionnaires.  Tier 3 is for vendors that access data that is “other than” PHI/PII/Confidential.  We consider these vendors Low Risk and have a small subset of questions(between 5-8) depending, that they must answer.  Tier 4 vendors do not get assessed at all but we do touch them once a year to validate that they should still be Tier4.

Director of Information Securitya year ago

Level of vendor assessment is based on type of services and products in question and their potential security impact
Level of security requirements in vendor contracts should be accordingly to this potential security impact and referencing best practise methology/frameworks
Buyer – vendor relationship to be affected by the new EU Cyber Recilience Act when it enters into force

Content you might like

Crowdstrike26%

SentinelOne35%

Cortex13%

Trend micro17%

Microsoft 4%

Others, Please comment 4%

View Results

Geopolitical Tensions34%

Economic Inflation18%

Material Shortages and Longer Lead Times19%

Cybersecurity Threats17%

Employee Attrition4%

Consumer Purchasing Behaviors7%

Competing Transformation Initiatives4%

Supplier and Supply Chain Risk28%

Sustainability Compliance Requirements12%

Inventory Management Constraints22%

Manufacturing and Production Challenges12%

Organizational Changes and Restructuring36%

None of the Above2%

Other (Please Specify)20%

View Results