How do you select which vendors to assess? Ideally you would like to use the same process for all vendors across the board, but assessments will not apply to all vendors.
CORL recommends tiering your vendors and focusing on assessing vendors that can access your IT environment or can access sensitive data such as credit card data, PHI, or PII.
For lower tiered vendors you may want to explore other due diligence options. For example, if you have a vendor that collects up trash you may want to request background checks of the employees and ensure that employees review and sign off on an Acceptable Use Policy (AUP). You may also want to request completion of basic security training if it makes sense.
From a regulatory standpoint, it’s important that you document your approach and perform a level of due diligence that is commensurate to the service being provided from the vendor. For example:
- Tier 1 and Tier 2 vendors: Complete an annual CORLcleared Assessment.
- Tier 3 vendors: Complete a CORL Cleared Assessment every 2 years.
- Tier 4 vendors: Based on services provided, may only be subject to background checks / screens (or confirmation of), AUP, security training, etc.
You can also require an unvalidated (no evidence) assessment approach with a smaller questionnaire for lower tiered vendors that pose little risk.