Vendor tiering is the key to a more resilient and sustainable third-party risk management strategy. But like all cybersecurity controls, it must be supported by the proper framework.
To learn how to optimize your Vendor Management and Vendor Risk Management programs to greater efficiency through best vendor tiering practices, read on.
What is Vendor Tiering?
Before addressing its infrastructure, it's important to recap the primary components of vendor tiering.
Vendor tiering is the process of categorizing vendors based on their level of threat criticality. Each third-party vendor is separated into different threat tiers ranging from low-risk, high-risk, and critical risk.
By doing this, remediation efforts can be distributed more efficiently. Instead of maintaining the same level of risk assessment intensity across all vendors (which in many cases isn't necessary), the majority of risk management efforts can be focused on the vendors posing the highest security risks to an organization.
This ensures security postures remain as high as possible at times, even during digital transformation.
The Benefits of Vendor Tiering
The benefits of vendor tiering is best appreciated by considering its impact on the risk assessment process.
Rather than manually tracking third-party risk profiles, vendors can be grouped by the specific risk assessments they require.
Such an arrangement allows security teams to quickly identify the regulatory requirements of each tier so that entities in highly regulated industries (such as healthcare and financial services) can be monitored with greater scrutiny.
Learn the importance of including your VRM efforts in executive reporting.
The Vendor Tiering Process
There are two primary strategies for assigning vendors to tiers.
- Questionnaire-based tiering - uses a classification algorithm to assign a criticality rating based on questionnaire responses.
- Manual tiering - Vendors are manually sorted into tiered based on an organization's personal preferences.
Manual tiering is the more popular method because stakeholders prefer to have greater control over their risk management programs. An objective standard of third-party risk isn't convenient because some businesses have a higher risk appetite than others.
Regardless of whether tiering is questionnaire-based or manual, the third-party risk data must first be collected. This is done either through security questionnaires or vendor risk assessments.
Once collected, a risk analysis is performed to evaluate each specific third-party risk and its likelihood of exploitation, with the assistance of a risk matrix. Both inherent risk and residual risks should be considered.
The objective of a risk analysis is to specify how each third-party risk should be addressed - whether it should be accepted, addressed, or monitored.
Learn how to perform a cyber risk analysis.
Vendors linked to a majority of risks that must be remediated could then assign to a critical vendor tier and those with an acceptable risk majority to a less critical tier.
With the essential components of the vendor tiering process summarized, the following best practices framework can be considered in the proper context.
Vendor Tiering Best Practices
The following 4-step framework will streamline the execution of a vendor tiering program and support an efficient Vendor Risk Management (VRM) workflow.
1. Use Security Ratings to Evaluate Risk Postures
Security ratings offer a more rapid representation of each vendor's security posture by assigning each vendor a score based on multiple attack vectors. Rather than manually completing a risk analysis for each identified vulnerability, security ratings instantly reflect a vendor's estimated security posture, if they're calculated by an attack surface monitoring solution.
This feature also streamlines due diligence when onboarding new vendors.
Organizations could specify a minimal security rating threshold each vendor must surpass based on the cybersecurity industry-standard 950 point scale.
But this shouldn't be the only third-party risk security control, but rather, a complementary addition to a suite of defense strategies.
This is because security ratings fail to consider the specific risks that have the greatest on their calculation - unless they're supported by a remediation planning feature.
Security rating will also indicate whether a Vendor's tiering classification needs to be evaluated. For example, if a vendor acquires another business with poor security practices, their security rating will drop, reflecting an ecosystem with increased vulnerabilities.
Each vendor's security risk weighting can also be represented through a risk matrix in a cybersecurity report generated from the UpGuard platform, allowing stakeholders to instantly understand the degree of risk associated with each vendor.
2. Map Risk Assessment Responses to Security Frameworks
Unfortunately, your vendors aren't likely to take cybersecurity as seriously as you do. Because of this, all questionnaire and risk assessment responses should be mapped to existing cybersecurity frameworks to evaluated compliance against each security standard.
Many cybersecurity frameworks, such as the highly anticipated DORA regulation have a heavy emphasis on securing the vendor attack surface to prevent third-party data breaches
The higher security standards for service providers is a result of the recent proliferation of supply chain attacks
Some examples of common cyber security frameworks are listed below:
- NIST (National Institute of Standards and Technology)
- CIS Controls (Center for Internet Security Controls)
- ISO (International Organization for Standardization)
- HIPAA (Health Insurance Portability and Accountability Act) / HITECH Omnibus Rule
- PCI-DSS (The Payment Card Industry Data Security Standard)
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- AICPA (American Institute of Certified Public Accountants)
- SOX (Sarbanes-Oxley Act)
- COBIT (Control Objectives for Information and Related Technologies)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act of 2014)
- FedRAMP (The Federal Risk and Authorization Management Program)
- FERPA (The Family Educational Rights and Privacy Act of 1974)
- ITAR (International Traffic in Arms Regulations)
- COPPA (Children’s Online Privacy Protection Rule)
- NERC CIP Standards (NERC Critical Infrastructure Protection Standards
The UpGuard platform maps to popular security frameworks from a range of offers a range of questionnaires including:
- CyberRisk Questionnaire
- ISO 27001 Questionnaire
- Short Form Questionnaire
- NIST Cybersecurity Framework Questionnaire
- PCI DSS Questionnaire
- California Consumer Privacy Act (CCPA) Questionnaire
- Modern Slavery Questionnaire
- Pandemic Questionnaire
- Security and Privacy Program Questionnaire
- Web Application Security Questionnaire
- Infrastructure Security Questionnaire
- Physical and Data Centre Security Questionnaire
- COBIT 5 Security Standard Questionnaire
- ISA 62443-2-1:2009 Security Standard Questionnaire
- ISA 62443-3-3:2013 Security Standard Questionnaire
- GDPR Security Standard Questionnaire
- CIS Controls 7.1 Security Standard Questionnaire
- NIST SP 800-53 Rev. 4 Security Standard Questionnaire
- SolarWinds Questionnaire
- Kaseya Questionnaire
To see how these assessments are managed in the UpGuard platform, click here for a free trial.
3. Set Clear Expectations from Vendors
The effectiveness of a Third-Party risk management program (TPRM) is proportional to the level of commitment by all parties.
Before establishing any vendor relationship, all expectations pertaining the third-party security must be clearly communicated upfront.
The following areas will address the common communication lapses impacting third-party security.
- Identify key decision-making staff across senior management.
- Set frequency of cyber threat reporting.
- Business continuity plans in the event of a cyber incident.
- Any key security metrics that must be monitored and addressed
- Cyber threat reporting expectations as specified in the procurement agreement.
- Establish clear roles and responsibilities across all categories of vendor risk management (legal, information security, business continuity, regulatory compliance, etc)
- Set resilient service level agreements (SLAs) to prevent the disruption of business processes in the event of a data breach.
- Include steep termination costs in contracts (this will ensure vendors actually address all security issues rather than breaking partnerships).
- Implement a data backup plan - in the event service level agreements are breached.
Ongoing Monitoring of the Third-Party attack surface
Even after all security controls have been implemented, the attack surface across all risk categories should be continuously monitored. This will not only indicate any sudden lapses in security posture in real-time, but it will also verify the legitimacy of all vendor risk assessment responses.
This is especially an important requirement for high-risk vendors. An attack monitoring solution will instantly alert security teams when a critical vulnerability impacting the supply chain is discovered. Such advanced awareness allows such exposures to be addressed before they're discovered by cybercriminals.
UpGuard Can Help Tier Your Vendors
UpGuard offers a vendor tiering feature to help organizations significantly increase the efficiencies of their Vendor Risk Management programs.
To support this ultimate objective, UpGuard also offers a remediation planning feature to highlight the specific remediation efforts that have the greatest impacts on security postures. When used harmoniously, vendor tiering and remediation planning prepares security programs to sustain increasing demands on third-party security.