What is vendor tiering?
Vendor Tiering is a method of classifying vendors based on the level of security risk they introduce to an organization. The level of security criticality decreases with each subsequent level.
The number of tiering levels depends on personal preference. The basic vendor tiering structure is comprised of three levels - Tier 1, Tier 2, Tier 3, where Tier 1 represents high-risk vendors.
Each vendor could be assigned to a tier manually, or the process could be based on a security questionnaire scoring system. Both methodologies are discussed in this post.
The benefit of separating vendors into different tiers is that creates a more efficient vendor assessment workflow that considers the specific risk thresholds of all vendors. Applying the same level of risk assessment to each vendor is difficult to maintain, and in most cases, unnecessary.
Vendors storing publically accessible information, such as information on a website, pose less potential risk than vendors with access to sensitive business resources, such as internal communication solutions like Slack. It would make sense, therefore, to perform less in-depth and less frequent assessments for vendors in the former category.
This is the objective of vendor tiering - to streamline the vendor risk management process so that security teams are able to manage third-party risks more intelligently.
Learn about the top VRM solution options on the market >
Why is vendor tiering important?
Vendor tiering is important because organizations struggle to manage a Third-Party Risk Management Program across an expanding vendor network.
Limited internal resources prevent new vendors from receiving the necessary security attention they require. As a result, procurement contacts remain weak and fail to filter out preventable inherent risks during digital transformation.
This unmonitored attack surface expansion further burdens security teams, making it even more difficult to manage risk assessments during onboarding.
Eventually, the necessity of scaling business processes overlaps with expended cybersecurity resources resulting in risk assessments being completely overlooked during onboarding.
With supply chain attacks on the rise and third-party breaches accounting for 60% of sensitive data breaches, management teams cannot continue to forsake vendor due diligence.
Vendor tiering helps security teams distribute their efforts more efficiently, helping them focus a majority of their efforts on critical vendors posing a higher risk to security postures, such as vendors at a high risk of a ransomware attack. Because this relieves the burden of responding to all security issues with equal vigor, more bandwidth is available for the secure onboarding of all new third-party vendors.
Service providers with a higher risk of being compromised in a cyberattack a grouped in a critical tier so that they can be optimized in remediation efforts.
The benefits of the vendor tiering process also extend to the existing vendor network. Because remediation efforts are proportional to risk exposure, more attention can be devoted to the vulnerabilities having the greatest impact on security posture, significantly reducing the chances of an organization suffering a data breach.
This highlights another major benefit of vendor tiering. By grouping vendors into different risk categories, vendor tiering support a more efficient and logical remediation sequence.
For more information about how to optimize a remediation workflow, refer to this whitepaper on Risk Remediation Planning.
How does vendor tiering improve Third-Party Risk Management (TPRM)?
Vendor tiering helps security teams adjust the level of risk assessments performed at each vendor tier, rather than applying the same effort across all vendors.
Some vendors with strict regulatory requirements, such as GDPR bound businesses and those in the healthcare industry, require stricter risk assessments than others. So it makes sense to adjust a vendor risk management program in favor of vendors with higher risk factors.
With vendor tiering, security teams could achieve a more manageable risk assessment workflow where each tier is assigned a specific set of assessments.
For example, an ISO 27001 questionnaire could be sent to only tier 1 vendors. This is a superior model to the conventional method of manually tracking the assessment requirements of each vendor - an effort that quickly becomes a logistical nightmare as the vendor network expands.
The dependency on digital transformation will only increase as businesses meet the growing expectations of innovative consumers, which will only increase the burden of Vendor Risk Management (VRM).
To prepare for this inevitable future, businesses need to transition to a more efficient vendor tiering assessment framework. This strategy also pushes cybersecurity programs closer to automated processes. This is the inevitable next phase of the TPRM development lifecycle given the significant data breach cost savings resulting from automation.
Learn the importance of including your VRM efforts in executive reports.
What is a vendor tiering questionnaire?
A vendor tiering questionnaire is a mechanism for determining a vendor's appropriate tiering level. These questionnaires, also known as vendor questionnaires, are typically assigned to new vendors during the onboarding phase of a Vendor Risk Management program to collect information about their cybersecurity practices.
A vendor tiering questionnaire is just one option for determining vendor criticality in a vendor tiering model.
Other options include:
- Security certifications
- Previously completed security questionnaires
- Automated scanning results.
All of these data sources should be considered to build the most accurate inherent risk profiles for new vendors. An accurate security posture calculation is an essential prerequisite of informed vendor tieing decisions that support VRM program efficiency.
Referencing multiple security posture data sources for a large number of vendors presents significant logistical issues, even with the support of process automation. Watch this video to learn how UpGuard solves the problem of evaluating multiple vendor security data sources to streamline the onboarding process.
Sign up to Trust Exchange for free >
Vendor tiering model
A vendor tiering model defines how a vendor's criticality rating and associated tiering level are assigned. These models are usually comprised of automated and manual components.
Automated component of a vendor tiering model
Automated vendor tiering models process responses from vendor security questionnaires alongside preconfigured automation rules to automatically assign each vendor to a criticality tier. Having the option of automating a component of the vendor tiering process significantly reduces manual tasks associated with vendor management, which translates to significant time savings for large vendor networks.
Configuring vendor tiering automation involves assigning a weight to each response in a vendor relationship questionnaire and then defining a formula for automatically assigning a vendor to a specific tier based on the total weight calculated when the questionnaire is completed.
On the UpGuard platform, vendor management automation includes a vendor tiering option.
Here's an example of a weighting strategy for three questions in a vendor relationship questionnaire.
1. Will this vendor have access to physical or electronic assets or data belonging to our organization?
- Answer: Yes
- Weight: 100
- Answer: No
- Weight: 0
- Answer: Unanswered
- Weight: 100
2. Will the vendor host data on behalf of our organization?
- Answer: Yes
- Weight: 100
- Answer: No
- Weight: 0
- Answer: Unanswered
- Weight: 100
3. Does the service support Single Sign-On (SSO)?
- Answer: Yes
- Weight: 0
- Answer: No
- Weight: 100
- Answer: Unanswered
- Weight: 50
Weights would need to be assigned to each response option. Don't rush this step. Take the time to consider an appropriate weight distribution for each question, especially for queries about a vendor's sensitive data handling practices, since these responses will have the greatest impact on your third-party cyber risk exposure and regulatory compliance efforts.
A total weight value calculation formula could either be a sum of the total weights of all questions or a custom formula based on your internal vendor tiering model's unique inherent risk calculation methods.
Manual component of a vendor tiering model
A manual vendor tiering process is preferred when complex tiering automation is not required. The following use cases may warrant a manual vendor tiering model.
- When a vendor has a known reputation: A vendor's data security or general cybersecurity hygiene is known through past experiences with the vendor or media coverage.
- When the vendor will be processing sensitive data: Situations where an organization is instantly aware that the vendor will have access to internal sensitive data, such as third-party payment processing services.
A manual vendor tiering model involves manually choosing an appropriate tier for each third-party vendor onboarded into your Vendor Risk Management program.
Manual vendor tiering vs. automated vendor tiering models
The best Vendor Risk Management solutions offer a vendor tiering model with manual and automated options since both options provide unique, time-saving benefits:
- A manual vendor tiering option allows users to instantly assign a criticality rating to a vendor when their inherent risk level is known
- An automated tiering option allows users to scale the onboarding of multiple vendors into a Vendor Risk Management program.
Vendor tiering best practices
For these best practices to optimize the efficiency of your vendor tiering strategy
1. Define a clear tiering criteria
A well-defined tiering criteria is the cornerstone of a successful vendor tiering strategy. The factors contributing to your tiering criteria should be mapped to your unique Vendor Risk Management objectives. But as a minimum, the following factors should be considered to quickly determine a vendor's criticality:
- Level of sensitivity of data being processed
- A vendor's level of required access to critical systems
- Any regulatory standards impacted by the vendor's partnership
- Level of the potential impact on the business should the vendor suffer a security incident or data breach
2. Combine manual and automated tiering models
A hybrid vendor tiering model allows you to leverage the benefits of instant vendor tiering when a vendor's criticality level is already known and scalable tiering processes when onboarding a high volume of vendors. Even if manual tiering is unlikely to be required during onboarding, this option should always be offered alongside an automated process when unique threat circumstances arise, requiring slight manual tiering adjustments, such as when a vendor is potentially impacted by an IT disruption in their supply chain.
3. Leverage security ratings
Security ratings provide a quick snapshot of a vendor's security posture by analyzing multiple attack vectors. Including security rating insights in a vendor tiering model allows for dynamic tiering changes when a vendor's security posture drops below a set threshold.
Learn how UpGuard calcuates its security ratings >
4. Set clear security expectations for vendors
Clearly communicate the cybersecurity standards you expect from newly onboarded vendors. At a minimum, these standards should include expectations for building and maintaining resilience against data breaches and cyber threats. Setting cybersecurity hygiene expectations at the onset of every vendor relationship could reduce the chances of having to upgrade a vendor to a higher criticality tier further into the partnership, which will also reduce the chances of vendors negatively impacting your own security posture.
5. Regularly evaluate your vendor tiering model
Vendor risk profiles can change over time due to various factors, such as changes to business operations, new partnerships, mergers, or updated regulatory standards. To ensure the ongoing accuracy of your vendor tiering model, vendor security postures should undergo regular detailed reviews through point-in-time risk assessments.
Vendor risk assessments indicating a high volume of vendors requiring a tiering review will likely require changes to the automation rules of tiering questionnaires and a reissuing of the updated questionnaire to all impacted vendors. When just a few vendors require an updated tier attribution, manual tiering adjustments should be sufficient.
Vendor tiering by UpGuard
UpGuard is recognized as one of the leaders in Vendor Risk Management (VRM). In addition to manual vendor tiering, UpGuard has released an automation feature for vendor classification according to custom rules and logic you define. The automation logic applies tiers, labels, portfolios, and custom attributes to your vendors based on answers from the vendor relationship questionnaire. For more information on the automation workflow, see our blog Scale Your Vendor Risk Management Program with Automation.
The entire vendor tiering arrangement can be manually manipulated, giving each business greater control over their vendor categorization process. Businesses can create as many tiers as needed and assign each a unique name.
A vendor's security risk weighting can then be represented through a risk matrix in a cybersecurity report generated from the UpGuard platform, allowing stakeholders to instantly understand the degree of risk associated with each vendor.
To further optimize third-party risk management, the security posture of each tier can be assessed with UpGuard's Custom Questionnaires Builder.
Businesses with comprehensive vendor networks have the option of outsourcing their Third-Party Risk Management program to cybersecurity experts. By combining this service with UpGuard's Vendor Tiering feature, scaling businesses will establish a dependable foundation for the highly complicated vendor attack surface of the future.
