Vendor Classification
| Tier | Criteria | Assessment Depth |
|---|---|---|
| Critical | Access to sensitive data, system integration | Full assessment + audit rights |
| High | Limited data access, important services | Detailed questionnaire + evidence |
| Medium | Minimal data access, replaceable | Standard questionnaire |
| Low | No data access, commodity services | Basic due diligence |
Security Program Assessment
- ☐ Does the vendor have a documented security policy?
- ☐ Is there a designated security leader (CISO or equivalent)?
- ☐ What security certifications do they hold (SOC 2, ISO 27001)?
- ☐ When was the last third-party security audit?
- ☐ Do they conduct regular penetration testing?
Access Control
- ☐ How do they manage user access and authentication?
- ☐ Is multi-factor authentication required?
- ☐ What is their process for access reviews?
- ☐ How quickly are terminated employees offboarded?
- ☐ Do they follow least privilege principles?
Data Protection
- ☐ How is data encrypted at rest and in transit?
- ☐ Where is data physically stored?
- ☐ What is their data retention and disposal policy?
- ☐ Can they meet your data residency requirements?
- ☐ How do they handle data subject requests?
Incident Management
- ☐ What is their incident response process?
- ☐ What are their breach notification timelines?
- ☐ Have they experienced any security incidents?
- ☐ Do they carry cyber insurance?
Business Continuity
- ☐ Do they have a business continuity plan?
- ☐ What are their SLAs for uptime and recovery?
- ☐ How often do they test their disaster recovery?
- ☐ What is their backup strategy?
Contractual Considerations
- ☐ Include security requirements in contracts
- ☐ Require breach notification within 24-72 hours
- ☐ Include right to audit clauses
- ☐ Define data handling and return procedures
- ☐ Specify subcontractor restrictions