An Example Control Matrix for Supply Chain Security

Per the examples in the last post, here is what the Control Matrix for Vendor Supply Chain Security might look like.
 
In the beginning of the document, you can define the audience, the authors, the update process and the process for handling exceptions. I usually also add a footer that has relevant reference links to products/services/vendors and key terms used in the document.
 
The main content, of course, is the matrix itself, which usually looks something like this:
 
 
Name of Tier Tier Criteria Required Diligence Required Controls
Critical Risk Vendors Shared IIP that allows duplication of products or differentiator features or R&D; ANY outage of the vendor’s IT operations would harm JIT delivery or line manufacturing Any required regulatory document gathering (SAS70, PCI DSS, HIPAA, etc.); Monthly MSI passive assessment – MEDIUM or HIGH risk issues trigger FULL risk assessment & review of their security audits; MSI monitors vendor list for Targeted Threat Intelligence and if triggered, formal incident response process is required from the vendor
As determined by your firm…
All controls required – NO VARIANCE ALLOWED
High Risk Vendors Shared non-critical IIP that allows feature replication, long term damage to product/brand strategy or R&D; Protracted outage of the vendor’s IT operations could impact production Any required regulatory document gathering (SAS70, PCI DSS, HIPAA, etc.); Quarterly MSI passive assessment – HIGH risk issues trigger FULL risk assessment & review of their security audits
As determined by your firm…
All controls required – NO VARIANCE ALLOWED
Routine Risk Vendors IIP shared at this level represents a potential for reputational or regulatory impacts; Normal vendor level where data sharing occurs Any required regulatory document gathering (SAS70, PCI DSS, HIPAA, etc.); Yearly MSI passive assessment – HIGH risk issues trigger deeper risk assessment
As determined by your firm…
Variance allowed by signed acceptance from steering committee or executive team
Low Risk Vendors Data is not shared with this vendor and compromise of the vendor’s IT operations is unlikely to have any impact Peer review to validate tier eligibility; Contract language review; Financial fraud team validation Only contractual controls and/or SLA required
 
As you can see, the matrix makes the entire program easy to discuss and demonstrate. The more clearly you can define the tiers, their required due diligence, their required controls and other data elements – the easier the process gets. 
 
We hope this helps you put together your own vendor tiering program and easily demonstrate it. If you would like more information about our passive assessment platform or Targeted Threat Intelligence (passive monitoring of vendor-related IOCs and security issues), please touch base with your account executive. Many of our clients are actively using and recommending these offerings for their supply chain security initiatives. We’d love to tell you more about it, so just let us know!