It's a tricky path you ask about.
Technically, a vendor is anyone you pay in order to receive goods and/or services.
There are high profile cases where vendors that seemed to be below the radar actually effected some spectacular data breaches, like the HVAC folks and Depot.
We've got a few categories that we will risk assess, but not proceed with oversight other than that, and only do the assessments every 3 years.
Utilities, memberships, retail purchasing are three that I believe can be looked at, but don't require steps beyond assessment and OFAC.
I am working with a very NPI based model – if there's no private data in the mix, then oversight is different.
There are other metrics, like annual spend [should you risk assess someone you pay over $200,000 per year? $500,000?], maybe relative age of the company – a startup can be risky as a business partner for example.
It's a long way around to : it kind of depends.
As always, though, the best indicator would be auditors. Their first reply is most likely "do what you say, say what you do" but they might give a hint for a best practice.
Thanks,
Dave
David Howe
Chief Information Officer