Hello,
We have questionnaires built that I would be happy to share as well as practices on when and how a vendor is assessed. Feel free to reach out and we can chat on these but here are the base answers for your questions:
We conduct Risk Assessments in our Information Security department. There are 4 tiers, Critical, High, medium, and Low which are based on what the 3rd party does for our company. For instance if they have any PII, PCI, Company Confidential, or other critical items, they automatically become a High Risk. Others factors, based on scores, can also place them in this category. We then only assess our Critical and High risk.
Thanks and again feel free to reach out.
Jamie
Original Message:
Sent: 01-25-2022 05:48 PM
From: Anonymous Member
Subject: Supplier Risk Assessment
This message was posted by a user wishing to remain anonymous
Hi All, I'm looking for best practices to what other organizations do to assess supplier risk around technology, people, service, change management, the supplier relationship, etc. I'm currently brainstorming on the criteria my organization can adopt. I'm interested in seeing if anyone can share a high-level approach to creating criteria, sample risk assessment templates, questionnaires, checklists, or scorecards that can be used to determine how much risk is posed to the organization. How are assessments conducted and by whom? Are there tier levels for risk – high, medium, low? How are tier levels defined? Is there an associated scoring model that ties back to the tier level? I appreciate any feedback and insight that can be provided. I thank everyone in advance for their support. |
|
|