With the publication of OCC Bulletin 2013-29 as well as numerous recent breaches involving vendors a perfect storm of awareness has arisen not only in the financial services industry but many others as well. The inevitable result will be an emphasis within organizations on better management of the inherent risk realized from utilizing services from third parties. With regards to the axiom that no organization has unlimited resources a critical question arises – How do I categorize my vendors so as to maximize existing resources while identifying and minimizing the greatest risks.
There are multiple classification schemes for vendors. These classifications are predicated on specific internal vendor management requirements. Some of the common classifications do touch on some elements of risk such as total spend, vendor financial performance, Service Level Agreement compliance and should remain as ingredients in an overall evaluation of vendor risk.
The scheme proposed below in no way supplants any existing vendor management schemes. Its sole purpose is to categorize vendors that will require information security risk assessments from those that will not. The risks addressed through these types of assessments, and are central to the mission of the Shared Assessments Program, include risks to sensitive information such as company financials and intellectual property, personally identifiable information relating to staff and customers, PCI designated data, personal health information and other data classification subject to regulatory and contractual restraints.
The basis for this scheme is:
-
1. Criticality of the vendor’s service to the continuation of the client’s services
2. Critical data being shared – critical will need to be defined by each organization but common elements are data that is regulated (for instance medical data regulated by HIPAA/HITECH, financial data regulated by Sarbanes-Oxley, internal intellectual property data regulated by internal business requirements), or whose confidentiality, integrity, and availability is critical to the business
3. Software services include both development, and software as a service (SaaS) which may provide their service independent of any data exchange
Scheme for vendor classification:
- Service is critical and intolerant of disruption (BC/DR critical)
- Data shared digitally
- Data shared other than digitally
- Software service provider
- On-site service
- Off-site service
- No data shared
- Service is tolerant of disruption (BC/DR is not important)
- Data shared digitally
- Data shared other than digitally
- Software service provider
- On-site service
- Off-site service
Once this scheme is used to determine which vendors will be assessed for risk there are several further steps that must be undertaken:
-
1. Prioritization of assessments – this should be based on criteria specific to the client which may include calculation of reputational impact and potential concerns for a vendor stemming from other risk factors such as sudden decline in the quality of service delivery or recent mergers and acquisition activity; and,
2. Scope of the assessment – which will be dependent on the specifics of the service being provided.
A coherent approach to categorizing vendors is an essential ingredient to the best use of scarce resources. Focusing on the specifics of the service provided will lead to a more efficient approach to managing inherent vendor risk.
For more than seven years, as the Senior Consultant and Manager of Operations for Churhill & Harriman, Inc., Donald Williams has managed all aspects of the organization’s delivery services, internal financial management and development of Churchill & Harriman’s Vendor Assessment Program, Risk Management Program and ISO 27001 Certification Services Program.