We all have seen the unbelievable risk matrices supplied by our auditors and hinted at by the FFIEC. These guides are all well-intentioned but have the effect of turning a good business practice into nothing but a form. In reality getting them on the form is easy; what happens first is important.
Not All Vendors Are The Same
From a “business point of view” (i.e. management) not all vendors (especially high risk vendors) have the same downside risk. Some are temporary, some last forever.
There are really two ways to look at this issue. Ask yourself about the risk this service/ product pose: is the downside a problem or is it a condition? Think of it this way. A problem is something that can be fixed (break your arm, you can get it fixed). A condition is like an allergy (you can never fix it; you have to manage it, or live with it, forever).
Just consider the difference between your internet going down verses someone hacking your identity. One can be fixed and is only temporary while the other has longer ramification and takes persistent vigilance. If you live in operations, you live in the “problem” world. If you manage risk, you should live in the condition world.
Assessing Your Organization
Don’t misunderstand; you really need to have your organization do a complete risk assessment. Just pull your head out of the weeds to get a quick overview and read (it will not take 3 minutes) this from Administrative Guidelines: Implementation of Inter-agency Programs for the Supervision of Technology Service Providers, October 2012 page A 7.
If you did not take the three minutes, here is the digest: If you are dealing with a large vendor who did not provide you with either a SAS 70 or 16, whose organization is in chaos, their customers are complaining and they are experiencing financial difficulties, you might want to move from condition to real problem.