What level of cyber due diligence (vendor security assessment) do you feel is appropriate for vendors/suppliers that are considered in the low tier. For example lets say you have your vendors tiered as critical, high, med, low tier. Those critical, high and med might necessitate being sent a questionnaire to complete.....but what level of assessment are folks performing for the low tier vendors? Appreciate any insights as to what different approaches people are taking to perform light assessments for these low tier vendors.
Sort by:
We Tier our vendors 1 through 4. Tiers 1 and 2 deal with PHI/PII so they are required to complete security questionnaires. Tier 3 is for vendors that access data that is “other than” PHI/PII/Confidential. We consider these vendors Low Risk and have a small subset of questions(between 5-8) depending, that they must answer. Tier 4 vendors do not get assessed at all but we do touch them once a year to validate that they should still be Tier4.
Level of vendor assessment is based on type of services and products in question and their potential security impact
Level of security requirements in vendor contracts should be accordingly to this potential security impact and referencing best practise methology/frameworks
Buyer – vendor relationship to be affected by the new EU Cyber Recilience Act when it enters into force
Recommend looking at past and current breach history. Even low risk providers can bring reputational harm to an organization, increased email-based campaigns, BEC, especially if they're in or recently recovered from an event. Also, would encourage you to work with other teams such as procurement, sourcing, and/or legal to ensure that a supplier stays low risk as new engagements with an existing provider can escalate their tier and it often go unnoticed.