Sorting Vendors into Tiers

Previously, we reviewed some ideas around vendor discovery and laid out an example workflow and process. We also defined some tools and approaches to use for the task.
 
Once you have the vendors in your supply chain identified, and have obtained and cataloged the relevant data, the next step we suggest is to tier the vendors into levels to make it easier to classify vendors into “object groups”. Once we have the vendors sorted into tiers, we will discuss how to assign required controls to each tier in an easy to manage manner. This greatly simplifies the processing of future vendors that are added to the supply chain, since you need only identify the tier they fit into and then use the control requirements for that tier as your basis for evaluation and risk assessment. 
 
Vendor tiering, done properly, also makes assigning vendors to a given tier trivial in the long term. Our approach, as you will see, provides very clear criteria for the levels, making it easy to add new vendors and simple to manage vendors who change status as the supply chain and product lines evolve.
 
In our suggested model, we have four tiers, comprised as follows (using a product manufacturer as an example, obviously, other types of firms may require alternate specific criteria, but this should serve to lay out the model for you use as a baseline):
 
  • Critical Risk Vendors
    • Criteria: Mission critical “information intellectual property” (IIP) assets are shared with this vendor, where the assets represent a significant portion of the market differentiator or research and development of a product line OR the vendor’s IT operations are critical to our just in time manufacturing or delivery model – that is – ANY outage of the vendor’s IT operations would cause an outage for us that would impact our capability to deliver our products to our customers
      • Examples: Compromise of the IIP data would allow duplication of our product(s) or significant replication of our research; Outages or tampering with the vendor IT operations would impact manufacturing line operations, etc.
  • High Risk Vendors
    • Criteria: Non-critical IIP assets are shared with this vendor such that if said assets were compromised, they would represent damage to our long term product & brand strategies or research and development. Actual product replication would not be enabled, but feature replication might be possible. Outages of vendor’s IT operations at this level, if protracted, could impact our research and development or ability to deliver our products to our customers.
      • Examples: Breach of this vendors network could expose the design specs for a specific part of the product. Compromise of the vendor could expose our future marketing plan for a product and some of the differentiating features that we plan to leverage. If the vendor’s IT operations were disabled for a protracted time, (greater than /48, 72 or 96/ hours), our capability to deliver products could be impacted.
  • Routine Risk Vendors
    • Criteria: Non-critical IIP assets may be shared with this vendor tier, and compromise of that IIP may be damaging to our reputation. The IIP, if compromised, would not allow duplication of our product lines, research or differentiators of our products. In addition to reputational impacts, share of data that could impact our sales pipeline/process and/or other secondary systems or processes may be expected if breaches occur at this level. Regulatory or legally protected IIP also resides at this level.
      • Examples: Organizations where customer data, sales & marketing data, employee identification information, etc. are shared (outsourced payment, outsourced HR, etc.) are good examples here. This is the level of risk for any vendor that you share IIP with, in any form, that does NOT immediately empower delivery of your products or impact your longer term R&D efforts or market differentiators… 
  • Low Risk Vendors
    • Criteria: This tier is for vendors that we share NO IIPwith, in any form, and vendors that could not directly impact our product delivery via an IT operations outage in any way. These vendors, should they experience a breach, would result in little to no impact on the reputation or capabilities of our firm to operate.
      • Examples: Caterers, business supply companies, temporary employment agencies, hardware and software vendors for not manufacturing systems, commodity product or component dealers, packaging material suppliers, transport companies, etc.
 
Building such a tiered approach for your vendors creates an easy to manage way to prioritize them. The tiered approach will also be greatly useful in mapping groups of controls to the requirements for each tier. We will cover that in a future post, shortly. 

Ideas for Vendor Discovery

One of the most common issues in supply chain security is in identifying vendors initially and then in maintaining their status over the long term. To answer that challenge, here are some ideas around creating initiatives to answer those needs that we have seen work over the years. This post will focus on identifying vendors and refreshing vendor lists. Another post will discuss suggestions for creating vendor tiers and sorting vendors based upon various criteria and mapping that to controls for each tier.

 
Getting Started:
 
The first step in identifying your vendors and beginning the supply chain security process is to establish responsible parties. Who in the organization will be responsible for establishing the program and who will be responsible for oversight of the program. Who will the program report to, and what data is expected as a part of the report. This is often assigned to the company’s risk or security department, where available and flows upwards through their management chain to a steering committee or chief executive. In some cases, where security or risk functions don’t formally exist, we have seen supply chain security tasking as a part of either legal or operational teams. Rarest of all, and the least successful in our experience, is when it is assigned to members of the accounting team – mostly because they often lack sufficient technical and risk assessment skills to perform the work optimally.
 
Creating Data Boundaries:
 
Once you know who will do the work, the next step is to establish boundaries and the underlying mechanisms you will use to manage the data. In small companies, this might be as simple as a spreadsheet. Mid-size companies often build a small database or Sharepoint repository to hold the data. Large firms often use modules in their enterprise data platforms to manage the data. How you will manage the data though, irregardless of your chosen platform, is much less important than setting boundaries about how far back in the vendor supply chain you will go. In our experience, this is an area where organizations often damage their success early by trying to target too large a portion of the vendor population or using too much history. Our suggestion is to use only vendors that are currently serving the company, and then to pick a criteria such as “criticality to just in time delivery”, “line operations criticality”, gross spend or criteria that reflect the potential for large impacts to your operations or central valued assets. For example, if you have vendors that provide raw materials to your factories, and downtime of the line is a significant threat – then focus on those critical suppliers to start. If you are a bank or credit union and you outsource item processing or marketing to your clients/members to a third party – then these vendors could impact the core value of your business – the trust of your clients, so start there. To begin, start by identifying the top 10 or 20 vendors in this group. That becomes the working list to begin the process. 
 
Gathering the Data: 
 
Now that you know what vendor data you need and what the boundaries are, how do you actually gather the data? In most cases – the process begins by working with accounts payable to obtain their ranked and sorted list of vendor payees. A quick hint here is to check with your disaster recovery and/or business continuity team to see if they already have the data and have vetted it. In many cases the DR/BC folks have done the basic footwork – so you may be able to leverage thier processes, data and systems. Either way, once you get the list, it is advisable to do a rationality check with the various lines of business using the vendors. In many cases, their feedback can help you make sure that what accounting says is critical agrees with their operational sense of the world.
 
Once you have the data, and get it processed it into your systems – you will next want to establish a workflow on how you will use the data, what baselines you will use, etc. We will cover that shortly. 
 
Be sure to the document the collection processes you used, and create a periodic refresh process for the data based upon it. Optimize that process over time to expand scope, reduce time between updates, etc. Eventually, most organizations settle on monthly or quarterly updates vendor data, and then sort their vendor assessment efforts based upon tiers. Using and refining such a process will go a long way toward reducing your supply chain risks over time.

3 Reasons Your Supply Chain Security Program Stinks

  1. Let’s face it, Supply Chain Security and Vendor Risk Management is just plain hard. There are a lot of moving pieces – companies, contacts, agreements, SLAs, metrics, reporting, etc. Suppliers also change frequently, since they have their own mergers/acquisitions, get replaced due to price changes or quality issues, new suppliers are added to support new product lines and old vendors go away as their product lines become obsolete. Among all of that, is cyber-security. MSI has a better and faster way forward – an automated way to reduce the churn – a way to get a concise, easy to use and manageable view of the security of your vendors’ security posture. This month, we will show you what we have been doing in secret for some of the largest companies in the world… 
  2. Vendors with good security postures often look the same as vendors with dangerous security postures, on paper at least. You know the drill – review the contracts, maybe they send you an audit or scan report (often aged), maybe they do a questionnaire (if you’re lucky). You get all of this – after you chase them down and hound them for it. You hope they were honest. You hope the data is valid. You hope they are diligent. You hope they stay in the same security posture or improve over time, and not the opposite. You hope for a lot. You just don’t often KNOW, and what most companies do know about their vendors is often quite old in Internet terms, and can be far afield from where their security posture is at the moment. MSI can help here too. This month, we will make our passive assessment tool available to the public for the first time. Leveraging it, you will be able to rapidly, efficiently and definitively get a historic and current view of the security posture of your vendors, without their permission or knowledge, with as frequent updates as you desire. You’ll be able to get the definitive audit of their posture, from the eyes of an attacker, in a variety of formats – including direct data feeds back into your GRC tools. Yes, that’s right – you can easily differentiate between good and bad security AND put an end to data entry and keyboarding sessions. We will show you how… 
  3. Supply chain security via manual processes just won’t scale. That’s why we have created a set of automated tools and services to help organizations do ongoing assessments of their entire supply chain. You can even sort your supply chain vendors by criticality or impact, and assign more or less frequent testing to those groups. You can get written reports, suitable for auditors – or as we wrote above, data feeds back to your GRC tools directly. We can test tens of vendors or thousands of vendors – whatever you need to gain trust and assurance over your supply chain vendors. The point is, we built workflows, methodologies, services and tools that scale to the largest companies on the planet. This month, we will show you how to solve your supply chain security problems.
 
If you would like a private, sneak peak preview briefing of our research and the work we have done on this issue, please get in touch with your account executive or drop us a line via info (at) microsolved /dot/ com, call us at (614) 351-1237 or click the request a quote button at the top of our website – http://microsolved.com. We’ll be happy to sit down and walk through it with you. 
 
If you prefer to learn more throughout March – stay tuned to https://stateofsecurity.com for more to come. Thanks for reading!