Hi Alicia,
I think we all struggle to determine what meets the regulations and governance we are under.
Here's some pieces that we have used time to time.
Overall vendor rating (you can apply whatever rank and scoring you want) -- purpose is to have the most
due diligence to the top two tiers, and required BAA / confidentiality with the top three.
Criteria |
Has access to Nonpublic Information on PRIMMA's systems or within PRIMMA's offices or hosts Nonpublic Information |
|
Has access to sensitive company data on PRIMMA's systems or within PRIMMA's offices or hosts sensitive Information, for example vulnerability reports, auditing vendor reports, or physical access to data center |
|
Has access to confidential data on PRIMMA's systems or within PRIMMA's offices or hosts confidential Information, but not sensitive |
|
Has access to public available information on PRIMMA's systems or within PRIMMA's offices |
|
Has no access to PRIMMA's systems, data, facilities |
For each of the top tiers, we maintain a list of data elements that we considered during our third party vendor assessment process.
For instance, tier A could be fields that represent nonpublic information for your industry; tier b (2nd row) are 'sensitive company data' ; and tier 3 (middle row) is confidential data elements. That helps the business leads understand if certain fields in a solution match the grid, then as the one to consider which new third party to engage, they can better inform finance, IT and legal what vendor rating tier should be considered and validating during third party due diligence.
======================
For financial services, we use the NY State CD definitions in section 500.1 of the cybersecurity requirements for the financial services industry.
We also have definitions that focus on non-public information (three types), and publicly available information (two types) -- with overall guidance coming from NY DFS 23 NYCRR 500 definitions
https://www.dfs.ny.gov/industry_guidance/cyber_faqs ;
Most peers have sometimes taken the language from the 500.1 (g) non-public information and
See
https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations (then navigate to Chapter 1 Regulations of the Superintendent --> Part 500 ... -->
500.1 (g)
(g) Nonpublic information shall mean all electronic information that is not publicly available information and is:
(1) business related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity;
(2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
(i) social security number;
(ii) drivers' license number or non-driver identification card number;
(iii) account number, credit or debit card number;
(iv) any security code, access code or password that would permit access to an individual's financial account; or
(3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to:
(i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;
(ii) the provision of health care to any individual; or
(iii) payment for the provision of health care to any individual.
500.1 (j)
(j) Publicly available information means any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from: Federal, State or local government records; widely distributed media; or disclosures to the general public that are required to be made by Federal, State or local law.
(1) For the purposes of this subdivision, a covered entity has a reasonable basis to believe that information is lawfully made available to the general public if the covered entity has taken steps to determine:
(i) that the information is of the type that is available to the general public; and
(ii) whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so.
Original Message:
Sent: 09-23-2021 11:32 AM
From: Alicia Gristmacher
Subject: Vendor Tiering / Scorecard
I have created a tier scorecard to assess the criticality of our vendors I am not really excited about. It does the job, but I feel like the questions or something about it needs to be enhanced / revised. Would anyone have examples of how they are assessing / scoring the criticality of their vendors or a template they could share?
Thank you so much!
Alicia G.