Risk Assessments

 View Only
  • 1.  Risk assessments on non-vendors? What is a "Vendor"?

    Posted 01-15-2021 03:29 PM
    Hello,

    When do you know if you should perform a risk assessment on a vendor?  How do you know it qualifies/does not qualify as a "vendor"? 

    It feels counterproductive to perform a risk assessment on vendors such as lawn care, snow removal, magazine subscriptions, "business relationships", etc.  Would anybody be willing to share their method on deciding when/when not to perform a risk assessment?  Or in other words, what they define as a "vendor"?


  • 2.  RE: Risk assessments on non-vendors? What is a "Vendor"?

    Posted 01-15-2021 04:41 PM

    It's a tricky path you ask about.

     

    Technically, a vendor is anyone you pay in order to receive goods and/or services.

    There are high profile cases where vendors that seemed to be below the radar actually effected some spectacular data breaches, like the HVAC folks and Depot.

     

    We've got a few categories that we will risk assess, but not proceed with oversight other than that, and only do the assessments every 3 years.

                    Utilities, memberships, retail purchasing are three that I believe can be looked at, but don't require steps beyond assessment and OFAC.

                    I am working with a very NPI based model – if there's no private data in the mix, then oversight is different.

                    There are other metrics, like annual spend [should you risk assess someone you pay over $200,000 per year?  $500,000?], maybe relative age of the company – a startup can be risky as a business partner for example.

     

    It's a long way around to : it kind of depends.

     

    As always, though, the best indicator would be auditors. Their first reply is most likely "do what you say, say what you do" but they might give a hint for a best practice.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     






  • 3.  RE: Risk assessments on non-vendors? What is a "Vendor"?

    Posted 01-15-2021 04:50 PM
    Thank you for the insight Dave!


  • 4.  RE: Risk assessments on non-vendors? What is a "Vendor"?

    Posted 01-15-2021 04:56 PM

    The HVAC company incident was Target in 2014:   https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

     

    Kate Wakefield CISSP, CIPT, MPA

    Sr. Manager Security Compliance

     






  • 5.  RE: Risk assessments on non-vendors? What is a "Vendor"?

    Posted 01-15-2021 05:31 PM
    We have a questionnaire that is asked of every vendor. But for low level vendors such as facility care we base it in part on building access. Do they have a badge and are they authorized to be unescorted in the buildings? If so they are a higher level and we require a NDA that states their employer, our vendor, is responsible for background and drug checks. and we require insurance and licenses if applicable.
    If they do not have building access then we leave them at a low level and write the policy that it is up to the relationship manager to determine if Cert of Ins in appropriate, otherwise we do not really review them. However the contracts are still set up for automatic notifications for renewal to insure contracts are not being renewed with out review first.