1 minute read
Vendor Risk Assessment
Determining the Need for Risk Assessment
Different levels of risk assessment are required depending upon the risk to the company. All acquisitions must adhere to Company Policies and Standards. The vendor must be provided with a copy of IT Policies and contractually agree to comply with all policies. Ultimately, risk assessments are an appropriate component of due diligence verification.
HIGH RISK ASSESSMENT
A high risk assessment is required if: • The vendor will process, transmit, or store sensitive data internally or externally. • The vendor will process payment card information on behalf of Company • The vendor will perform software development or development of IT systems on behalf of the Company. • The vendor will have administrative access to the
Companies IT Systems or host IT systems in their data center.
LOW RISK ASSESSMENT
A low risk assessment is required if: • The vendor is providing a cloud-based solution that requires login to access non-sensitive data only. • The system is not deemed strategic by the enterprise
QUESTIONNAIRES
• In-depth questionnaires can be based on a control based framework
NIST 800-53 Rev 4, ISO 27001,
Nation Cyber Security Framework,
SANS, FEDRAMP, HITRUST, Arizona
States Assessments • High level Questions for High and
Low Risks based on controls in place • Existing questionnaire responses - cloud security alliance
EVALUATION CYCLE
Generally, high risk systems should be reassessed every year and again during renewals. Security responses, compliance, and other issues should be addressed in contracts.
