Hello ISC2 folks,
Need your help about something related to vendor categorization. I have a list of around 20 "critical" vendors and need to further filter them down based on their criticality (information security-wise). So I am struggling to outline the criteria that I need to use in order to be able to determine which of the vendors are more critical from infosec perspective. I plan to interview the managers and the SMEs involved for each vendor/service. Few of the components I am thinking include:
- The sensitivity of the company information that the vendor processes/stores.
- The amount of records/company information (Mb/Gb-wise?) that the vendor processes/stores.
- Whether and to what extend the company would suffer if the company information that the vendor processes/stores is compromised?
Please give me your ideas and let me know what other things could help me on the interviews so that I can get the best mechanism of determining which from the given 20 "critical" vendors are "more critical" 🙂
@Deyan wrote:Few of the components I am thinking include:
- The sensitivity of the company information that the vendor processes/stores.
- The amount of records/company information (Mb/Gb-wise?) that the vendor processes/stores.
- Whether and to what extend the company would suffer if the company information that the vendor processes/stores is compromised?
I'd look at this as a risk assessment, which is maybe why you are being asked to do this. Different assets are going to have different values based on their cost of replacement. In other words, I wouldn't worry about data size as much as its value. Your corporate PR department might have GBs of video of corporate officers speaking. Whereas a product group might have 1 KB of highly proprietary code. I would focus on talking to the managers and subject matter experts about the value of the assets you have with vendors. Try to have some consistency in how that value is computed and understand how it can change over time. Ultimately this can yield a calculation of dollars at risk with each vendor, and that is a pretty darn good metric to filter on. Similarly, for managers and SMEs try to get at business impact questions, what is the max tolerable downtime, how much of an asset needs to be recovered for them to get back and running, and what is a reasonable time frame.
You might also look into the vendors' capabilities for Business Continuity - if they are indeed critical, then you may want to inquire whether they have plans to still be able to supply you in case of disruptions. RTO/MTD and soon.