With the publication of OCC Bulletin 2013-29 as well as numerous recent breaches involving vendors a perfect storm of awareness has arisen not only in the financial services industry but many others as well. The inevitable result will be an emphasis within organizations on better management of the inherent risk realized from utilizing services from third parties. With regards to the axiom that no organization has unlimited resources a critical question arises – How do I categorize my vendors so as to maximize existing resources while identifying and minimizing the greatest risks.
There are multiple classification schemes for vendors. These classifications are predicated on specific internal vendor management requirements. Some of the common classifications do touch on some elements of risk such as total spend, vendor financial performance, Service Level Agreement compliance and should remain as ingredients in an overall evaluation of vendor risk.
The scheme proposed below in no way supplants any existing vendor management schemes. Its sole purpose is to categorize vendors that will require information security risk assessments from those that will not. The risks addressed through these types of assessments, and are central to the mission of the Shared Assessments Program, include risks to sensitive information such as company financials and intellectual property, personally identifiable information relating to staff and customers, PCI designated data, personal health information and other data classification subject to regulatory and contractual restraints.
The basis for this scheme is:
Scheme for vendor classification:
Once this scheme is used to determine which vendors will be assessed for risk there are several further steps that must be undertaken:
A coherent approach to categorizing vendors is an essential ingredient to the best use of scarce resources. Focusing on the specifics of the service provided will lead to a more efficient approach to managing inherent vendor risk.
For more than seven years, as the Senior Consultant and Manager of Operations for Churhill & Harriman, Inc., Donald Williams has managed all aspects of the organization’s delivery services, internal financial management and development of Churchill & Harriman’s Vendor Assessment Program, Risk Management Program and ISO 27001 Certification Services Program.