Due Diligence and Ongoing Monitoring

  • 1.  Vendor Tiering / Scorecard

    Posted 09-23-2021 12:44 PM
    I have created a tier scorecard to assess the criticality of our vendors I am not really excited about. It does the job, but I feel like the questions or something about it needs to be enhanced / revised. Would anyone have examples of how they are assessing / scoring the criticality of their vendors or a template they could share?

    Thank you so much!

    Alicia G.


  • 2.  RE: Vendor Tiering / Scorecard

    Posted 09-23-2021 02:49 PM

    Hi Alicia,
    I think we all struggle to determine what meets the regulations and governance we are under.

    Here's some pieces that we have used time to time.

    Overall vendor rating (you can apply whatever rank and scoring you want) -- purpose is to have the most
    due diligence to the top two tiers, and required BAA / confidentiality with the top three.

    Criteria
    Has access to Nonpublic Information on PRIMMA's systems or within PRIMMA's offices or hosts Nonpublic Information
     
    Has access to sensitive company data on PRIMMA's systems or within PRIMMA's offices or hosts sensitive Information, for example vulnerability reports, auditing vendor reports, or physical access to data center
     
    Has access to confidential data on PRIMMA's systems or within PRIMMA's offices or hosts confidential Information, but not sensitive
     
    Has access to public available information on PRIMMA's systems or within PRIMMA's offices
     
    Has no access to PRIMMA's systems, data, facilities

    For each of the top tiers, we maintain a list of data elements that we considered during our third party vendor assessment process.
    For instance, tier A could be fields that represent nonpublic information for your industry; tier b (2nd row) are 'sensitive company data' ; and tier 3 (middle row) is confidential data elements.  That helps the business leads understand if certain fields in a solution match the grid, then as the one to consider which new third party to engage, they can better inform finance, IT and legal what vendor rating tier should be considered and validating during third party due diligence.

    ======================
    For financial services, we use the NY State CD definitions in section 500.1 of the cybersecurity requirements for the financial services industry.

    We also have definitions that focus on non-public information (three types), and publicly available information (two types) -- with overall guidance coming from NY DFS 23 NYCRR 500 definitions https://www.dfs.ny.gov/industry_guidance/cyber_faqs ;

    Most peers have sometimes taken  the language from the 500.1 (g) non-public information and 

    See https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations (then navigate to Chapter 1 Regulations of the Superintendent --> Part 500 ... --> 

    500.1 (g)
    (g) Nonpublic information shall mean all electronic information that is not publicly available information and is:
    (1) business related information of a covered entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the covered entity;
    (2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
    (i) social security number;
    (ii) drivers' license number or non-driver identification card number;
    (iii) account number, credit or debit card number;
    (iv) any security code, access code or password that would permit access to an individual's financial account; or
    (v) biometric records;
    (3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to:
    (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family;
    (ii) the provision of health care to any individual; or
    (iii) payment for the provision of health care to any individual.

    500.1 (j)
    (j) Publicly available information means any information that a covered entity has a reasonable basis to believe is lawfully made available to the general public from: Federal, State or local government records; widely distributed media; or disclosures to the general public that are required to be made by Federal, State or local law.
    (1) For the purposes of this subdivision, a covered entity has a reasonable basis to believe that information is lawfully made available to the general public if the covered entity has taken steps to determine:
    (i) that the information is of the type that is available to the general public; and
    (ii) whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so.






  • 3.  RE: Vendor Tiering / Scorecard

    Posted 09-27-2021 03:29 PM
      |   view attached

    Hi Alicia

     

    I work in the insurance industry in CT.   The NYDFS Cyber Regulation prompted us to create the following worksheet to capture the risks related to a supplier.   Our work group determined which risks were most important for us to be aware of and manage. We created the scoring methodology to reflect what was most important to us.   As positive responses are entered into the worksheet, a Tiering score is calculated with Strategic and Tier one being the highest risk.   Generally we send this worksheet to the business person and ask them to complete it.  This insures that the business area understands what they are contracting for and how the service will work.  The questions below the worksheet help us to further understand the business needs so we can contract it correctly for them.   This has proven to be very helpful in insuring no surprises at the end of the day!

     Hope this is helpful!


    Attachment(s)



  • 4.  RE: Vendor Tiering / Scorecard

    Posted 09-27-2021 04:10 PM
    We assess a vendor as either critical, tier 1, tier 2 or tier 3 and then separately assess the risk of each of the vendor's products we utilize.  We don't use a scorecard but rather the following criteria:

    Each vendor will be classified based on the criticality to support core business processes.  A vendor providing a product or service where any of the following questions are answered with a 'YES' will be considered a 'Critical' vendor. 

    • Would the sudden loss of this vendor cause a significant disruption to our operations?
    • Would the sudden loss significantly impact our field representatives, fraternal leaders or members?
    • Would the time to restore service without this vendor be greater than one business day or greater than what our business continuity plan calls for as a recovery time? 

    Those vendors not identified as being 'Critical' will be classified into tiers based on the following factors:

    Tier 1

    All vendors who:

    1. Provide products or services considered essential but not critical to the business and where a disruption of service would cause limited immediate impact on our field representatives, fraternal leaders or members;
    2. Require additional oversight due to a vendor related Suspicious Activity Report (SAR);
    3. Are located in a foreign country or utilize foreign resources;
    4. Have a projected or actual yearly spend that equals or exceeds $1M; OR
    5. Otherwise designated as Tier 1 by senior management. 

        Tier 2

        All vendors who: 

        1. Provide products or services not considered essential to the business and where a disruption of service would cause minimal impact on our field representatives, fraternal leaders or members; OR
        2. Have a projected or actual yearly spend greater than $500k but less than $999,999. 

        Tier 3

        All vendors who:

        1. Provide products or services where a disruption of service would cause no impact on our field representatives, fraternal leaders or members; OR
        2. Have a projected or actual yearly spend less than $499,999.

        In addition, risk assessments will be conducted on all active vendor products by the named responsible party with the assistance of Enterprise Services.  The frequency of the risk assessments will be determined by the vendor's criticality and tier and the previous risk assessment on the vendor product.   

        All critical and  tier 1 vendors and any vendor product, regardless of criticality or tier, previously identified as 'high risk' will be assessed annually or more frequently as needed.  All other tier 2 vendors will be assessed at least once every other year and all other tier 3 vendors will be assessed at the longer of a new purchase, renewal or 3 years.