After taking inventory of all vendors, the internal relationship owner (team member) will be prompted to complete a classification questionnaire on each vendor. This questionnaire will capture the vendor’s scope of project/service and determine the impact of each vendor relative to the client. The questionnaire results in the vendor being given a low, medium, or high impact. If a vendor is considered as having low impact, the assessment is complete. Vendors that have a medium or high impact will be given an assessment respective to their rating.
A medium-impact vendor is one that poses some inherent risk to the organization due to the access they have to critical information while delivering their product or service. However, these vendor relationships are not likely to cause significant damage to the organization should an adverse incident occur. Since the medium-impact vendor will have a lower impact in the case of an adverse event, the same extensive assessment will not be necessary for this particular vendor.
A data breach or information security incident related to a high-impact vendor could cause grievous harm to the organization in terms of financial losses, reputation damage, and/or regulatory actions. A more extensive questionnaire will be necessary to assure that the client is defensible in the case of an adverse incident.
It’s important to note that a medium- or high-impact classification is relative to the client. For example, a vendor may have a medium-impact classification for one client, and a high-impact classification for another. The reasoning behind the classification step is to ensure that vendors receive the attention appropriate to their impact.
Classifications are based on these areas:
– Industry Sector: Certain industries are more prone to threats than others.
– Record or Data Type: Are confidential records shared with or accessed by this vendor?
– Record or Data Amount: How many confidential records are shared with or accessed by this vendor?
– Record or Data Amount: How many non-confidential records are shared with or accessed by this vendor?
– Access Method: Does this vendor have physical or logical access to the organization?
– Record or Data Transfer: Is confidential information taken offsite by this vendor?
– Product or Service Criticality: Does this vendor provide a service that is mission critical to the organization?
To answer the question directly, the primary difference between the assessments are based relative to an adverse impact on the client in the case of a breach, and the assessment length reflects this impact.