Hi Alicia,I think we all struggle to determine what meets the regulations and governance we are under.Here's some pieces that we have used time to time.Overall vendor rating (you can apply whatever rank and scoring you want) -- purpose is to have the mostdue diligence to the top two tiers, and required BAA / confidentiality with the top three.
I work in the insurance industry in CT. The NYDFS Cyber Regulation prompted us to create the following worksheet to capture the risks related to a supplier. Our work group determined which risks were most important for us to be aware of and manage. We created the scoring methodology to reflect what was most important to us. As positive responses are entered into the worksheet, a Tiering score is calculated with Strategic and Tier one being the highest risk. Generally we send this worksheet to the business person and ask them to complete it. This insures that the business area understands what they are contracting for and how the service will work. The questions below the worksheet help us to further understand the business needs so we can contract it correctly for them. This has proven to be very helpful in insuring no surprises at the end of the day!
Hope this is helpful!
Each vendor will be classified based on the criticality to support core business processes. A vendor providing a product or service where any of the following questions are answered with a 'YES' will be considered a 'Critical' vendor.
Those vendors not identified as being 'Critical' will be classified into tiers based on the following factors:
All vendors who:
All vendors who:
In addition, risk assessments will be conducted on all active vendor products by the named responsible party with the assistance of Enterprise Services. The frequency of the risk assessments will be determined by the vendor's criticality and tier and the previous risk assessment on the vendor product.
All critical and tier 1 vendors and any vendor product, regardless of criticality or tier, previously identified as 'high risk' will be assessed annually or more frequently as needed. All other tier 2 vendors will be assessed at least once every other year and all other tier 3 vendors will be assessed at the longer of a new purchase, renewal or 3 years.