All organizations rely on vendors to function in today’s dynamic landscape while achieving peak operational efficiency, cost-effectiveness, and economies of scale. A growing third-party network can yield significant benefits for organizations — but it also results in greater risk.

A robust third-party risk management program (TPRM) is crucial to mitigate that risk and maintain business continuity; and a critical component of that program is understanding which providers pose the most significant “threat criticality.” This ranking system can be achieved with vendor tiering.

Vendor tiering can help you optimize your vendor risk management program, strengthen cybersecurity, and create a more resilient organization.

What Is Vendor Tiering?

Vendor tiering, sometimes known as a tiering assessment process or simply a tiering assessment, is the practice of identifying vendors and categorizing them based on risks they bring to an organization.

Not all threats are created equal; neither are all third-party vendors. Each vendor presents different threats and has a different level of risk and threat criticality. Vendor tiering allows you to understand these differences by separating vendors into different “threat tiers” such as low-, medium-, high-, and critical-risk.

This tiering process can guide your risk management strategies. It helps you to focus vendor risk assessment and mitigation efforts on the third parties that pose the most critical risks.

Should I Tier My Vendors?

Yes. With vendor tiering, you can group vendors efficiently to distribute your risk remediation efforts and strengthen your cybersecurity posture.

Tiering vendors is critical if your vendors can access your systems or data. That access introduces the possibility of supply chain attacks, which you can mitigate if you know which vendors have such access and their threat criticality level.

Without question, industries that generate and store sensitive or mission-critical data should implement a vendor tiering process as part of their third-party risk management program. This includes highly regulated sectors that come under the purview of legal and regulatory standards such as:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • The Payment Card Industry Data Security Standard (PCI-DSS)
  • California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)
  • Sarbanes-Oxley Act (SOX)

Such industries include healthcare, financial services, utilities, and technology, to name a few. These industries are very attractive to cyberattackers and hackers who often attack through vendor networks, systems, or software. A vendor tiering process helps an organization differentiate processes and controls for low-risk versus high-risk vendors.

The Benefits of Vendor Tiering

Although vendor tiering cannot guarantee total coverage of the vendor landscape, it does improve your chances of identifying, categorizing, and minimizing overall vendor risk. A consistent tiering assessment can streamline the risk management process since it is based on solid data and current facts rather than assumptions or gut feelings.

Vendor tiering also helps to streamline regulatory compliance management. Organizations can group, and then scrutinize, vendors by specific risk assessments required. So vendors that need GDPR or HIPAA assessments can be grouped as Tier 1/critical-risk or Tier 2/high-risk, while other vendors can be grouped Tier 3/medium-risk, Tier 4/low-risk, and so forth.

Finally, since vendor tiering focuses on key risk factors with the biggest possible effect on the organization, it enables security teams to:

  • Better identify the most severe risks
  • Assess these risks based on criticality
  • Avoid wasting risk management resources on low-risk vendors
  • Implement effective mitigation plans for high-risk vendors

Top 3 Effective Vendor Tiering Strategies

Start vendor tiering by finding the answers to these questions:

  • Which vendors work with your business?
  • Do you have a list of known vendors from the procurement department?
  • Have you updated your vendor register?
  • What goods or services do the vendors provide?

If you work with hundreds or thousands of vendors, you may not be able to assess all vendors regularly. You should, however, aim to understand as many as you can to minimize the risk.

Don’t just assess vendors by financial value or number of transactions. Instead, try to understand your entire vendor landscape and the associated risks that could significantly impact your organization.

Here are three effective strategies to get started.

  1. Implement Manual Tiering

    A manual tiering process means you manually sort vendors into tiers based on various risk factors that could affect your organization. One factor could be contract value, but this shouldn’t be the only guiding principle to create risk tiers. Also consider factors like:

    • Types of data that vendors handle
    • Criticality of the data
    • Level of access to your systems, data, or customers
    • Vendors’ compliance certifications (or lack thereof)
    • Possible harm on your reputation if vendors are attacked, or if you are attacked through them

    If you lack the resources to do thorough manual tiering, you can leverage automation. Implement a questionnaire-based tiering where an algorithm assigns a criticality rating to each vendor based on the vendor’s responses to your security questionnaires.

    Don’t just rely on and trust the vendors’ responses. Map these responses to existing cybersecurity frameworks such as NIST, CIS, ISO 27001, or COBIT, to evaluate their actual compliance against each standard.

    Vendor risk data must be collected for both methods (manual or automated), followed by a risk analysis to evaluate each inherent risk and residual risk based on its severity and likelihood of exploitation. The analysis should guide risk mitigation or remediation strategies.

  2. Implement a Scoring System

    Before implementing a risk remediation plan, you must determine which vendors should be assigned to the critical or high-risk categories and which should go into medium or low-risk categories. Do this by applying security ratings to rank your vendors. You may assign classifications, such as Informal, Trusted, or Strategic.

    Assign scores to each vendor based on multiple attack vectors or threats:

    • How likely is the vendor to be attacked through that vector?
    • How high is the risk?
    • What is the potential impact for your organization?

    Evaluate these ratings periodically to understand if a vendor is suddenly bringing new vulnerabilities into your ecosystem (for example, because the vendor acquired a new business or started outsourcing part of its operations). Ratings will also simplify due diligence procedures when you need to onboard new vendors or service providers.

  3. Communicate with Vendors

    Not all vendors take security seriously. So communicate with them regularly and set the right expectations from the beginning of the relationship.

    Convey all risk information to vendors, especially if they fall into the high-risk or critical-risk categories. Assess risk controls to identify which ones are acceptable, which are opportunities for improvements, and which ones must be established.

    Set expectations for security and confirm that the vendor acts quickly to address any open risks. Also, check which certifications the vendor might need to minimize risk to your organization.

    Let vendors know if you will audit them, and make site visits. Communicate data breach procedures that will activate if they experience a disruption or failure in services, and what liabilities the vendor might face for a breach.

    Follow these best practices to avoid communication lapses, improve collaboration, and mitigate risk over time:

    • Clearly state the requirements, frequency, and format for threat reporting
    • Identify a point of contact in your organization to manage vendor communications
    • Share your business continuity and disaster recovery plans in case of a cyber event
    • Set clear service level agreements (SLAs) for all stakeholders
    • Specify termination costs

ZenGRC is Your Best Vendor Management Tool

Streamline your third-party risk management process with ZenGRC. With a range of compliance checklists, workflows, metrics, and visualizations, this integrated platform can help you assess risk across your vendor landscape.

Automate security questionnaires, simplify due diligence, and improve third-party risk visibility through heat maps and dashboards. You can also continuously monitor risks and take fast actions to mitigate the impacts or business exposure.

Contact Reciprocity today for a free ZenGRC consultation.