It should be simple. Vendors classified as medium or high risk impact should be assessed at a medium and high level. The reality is much more complex.
While SecurityStudio will ALWAYS encourage you to assess risk with appropriate thoroughness, we also recognize that vendor risk management is a work in progress. Showing demonstrable progress over time is better than being stalled out.
For this reason, we have added a third assessment template to our mix called Beginner. This template is very intentionally NOT called "Low" as it's not meant to go out to vendors classified as low impact. In fact, this template will never be applied by default anywhere.
HOW IT WORKS
Once a vendor is classified, the Risk Manager will be prompted to confirm the impact level.
By default, the confirmation window will pull in the assessment template that matches the classification level (medium or high).
However, you can now select any assessment template (default or custom) regardless of the classification level.
If you choose an assessment template that does not match the classification level, a warning will appear to inform you that you are taking an action counter to best practice.
This means that the vendor will not be assessed on all the controls that are appropriate for their level of risk to your organization. This should not be taken lightly.
If you click > Confirm & Send button, the vendor will receive the selected assessment template. The type and name of the assessment template will display in the evaluation screen.
The template selection does not override the classification level. This will always display in the top right corner of the evaluation screen for reference.
WHAT HAPPENS NEXT
The Beginner template is an excellent tool for vendors that for whatever reason, are unwilling or are unable to complete the prescribed assessment (medium or high). SecurityStudio recommends that you use the Beginner template only when necessary and only as a temporary measure.
Once the vendor has completed the Beginner assessment, it's an easy jump to complete the Medium assessment and then the High assessment. We highly recommend an intentional graduated approach that opens up more and more controls over time. This will reduce the burden to the vendor while bringing the vendor's assessment up to the appropriate level of thoroughness.
Related Items