Step 2 in completing a supplier assessment is to answer:
Industry Vertical and Operation Regions of the supplier
Connectivity questions
Interruption and Ransomware questions
Data Breach questions
Misappropriation questions
Answer only those questions that are applicable to the supplier relationship. If a question is not applicable to the supplier relationship please select "No" or "Not Applicable" in the answer key, depending on the questions asked. Remember the objective is to define the relationship with this supplier and what it is providing to the associated profile or organization at large. Therefore, many questions may apply, or few may apply depending on the supplier relationship under assessment.
Answer Assessment Information Questions
Below is a list of Assessment Information questions with their purpose and what each questions informs.
Industry Vertical and Operational Regions
Industry Vertical of Supplier
Purpose: defines the primary industry vertical of the supplier based on the relationship being assessed.
Informs: threat landscape, loss probability (all loss categories), and loss severity (all loss categories).
Operation regions of Supplier
Purpose: define the region in which the supplier operates out of in relation to the services being provided to the organization. This could be one or more regions depending on the supplier relationship.
Informs: loss severity and probability for data breach and misappropriation.
Connectivity Questions
Is the Supplier directly connected to your enterprise?
Purpose: define whether the supplier is a potential vector into your enterprise network and/or assets. If directly connected, the supplier relationship takes on the cyber exposure of the associated business profile.
Informs: scope of potential cyber exposure (all loss categories) of supplier relationship.
Is the Supplier providing web-based or cloud-based services?
Purpose: define services being provided by supplier.
Informs: scope of potential cyber exposure (all loss categories) of the supplier relationship.
Interruption and Ransomware Questions
Supplier's direct impact on revenue (Estimated Percent of Revenue)
Purpose: define the relation of the supplier's services to organizational or business profile revenue line.
Informs: scope of cyber exposure impacts (all loss categories).
Note: This is a best estimate or understanding of potential revenue impact and not a precise evaluation of impact on revenue. The goal is to inform a potential scope of impact from insignificant to significant.
Data Breach Questions
Volume of records handled by Supplier
Purpose: define whether the supplier is handling organizational records within the supplier relationship.
Informs: applicability of data breach impacts with supplier relationship.
Total volume of records (PII, PCI, PHI, PFI, Government Classified)
Purpose: define an estimated volume of records per record type.
Informs: loss severity and probability for data breach.
Note: this is a best estimate or understanding of the volume of records and not intended to be a precise amount. An approximate value is sufficient.
Misappropriation Questions
Estimated value of intellectual property shared with Supplier (percent of annual revenue)
Purpose: if IP is shared within the Supplier relationship, defines an estimated value of IP shared with supplier.
Informs: loss severity and probability of misappropriation of intellection property.
Note: this is a best estimate or understanding of the value of IP shared and not intended as a precise evaluation.
Does the Supplier handle electronic fund transfers (such as SWIFT or ACH) on behalf of your enterprise?
Purpose: define whether the supplier is handling electronic funds transfers within the supplier relationship.
Informs: applicability of misappropriation of funds risk and loss severity and probably of misappropriation of funds based on industry standards.
Once Assessment Information is complete, click "Calculate and Next" button at the bottom right of screen to calculate initial supplier risk tier and exposure information and move on to Step 3 of the assessment.
You can always go "Back" to step 2 of the assessment and change inputs and click "Recalculate and Next" to update the supplier relationship.
Comments