Policy, Program and Procedures

Hi - Has anyone created a matrix for oversight requirements based on criticality and risk level? I'm reviewing our vendor set-up, and there doesn't seem to be consistency across the board. For example, some critical high-risk vendors have been set up to require cyber security reviews, incident responses, privacy policies, etc. but others have not. Same with non-critical, low-risk vendors -- some are set up to only require a W-9 and maybe insurance certificates, but others have more requirements added. Of course, if a vendor has access to customer data, more requirements are necessary. I'm working on creating a matrix but thought I'd reach out to see if anyone else has set up something similar.​​

This message was posted by a user wishing to remain anonymous

We use both criticality and previous risk assessments to determine our oversight requirements.  For all vendors ranked as critical or as tier 1, we complete a VRM scorecard annually which includes requests for financials, information security, disaster recovery and business continuity, as well as questions regarding who has access to our systems and data and if there has been any leadership changes. 

In addition, all vendors have a risk assessment completed where the frequency of the assessment is determined by the vendor's criticality and tier and the previous risk assessment on the vendor product.  All critical and tier 1 vendors and any vendor product, regardless of criticality or tier, previously identified as 'high risk' are assessed annually or more frequently as needed.  All tier 2 vendors ranked as a 'moderate or low risk' and any vendor product, regardless of criticality or tier, previously identified as 'moderate risk' are assessed at least once every other year and all tier 3 vendors not meeting the above criteria will be assessed at the longer of a new purchase, renewal or 3 years.