What should I do if my Vendor receives a Low (Recommended) or Medium (Recommended with Stipulations) risk rating?

What should I do if my Vendor receives a Low (Recommended) or Medium (Recommended with Stipulations) risk rating for a Vendor Security Assessment (VSA)?

1) Consult with your Unit Information Security Lead, 2) Determine Course of Action, 3) Document the Decision

If the Vendor receives a Low (Recommended) or Medium (Recommended with Stipulations) risk rating, we recommend the following steps: 


1) Consult Your Unit Information Security Lead: Collaborate with your Unit Information Security Lead to determine the best course of action. You generally have two primary options: remediation and/or acceptance. 

2) Determine Course of Action:

  • 2a) Remediate: If the risk rating is Medium (Recommended with Stipulations), it is advisable to work with the Vendor to address the identified risk. A template will be provided that you can use at your discretion with the report for facilitating this.  If the risk rating is Low (Recommended), this can be skipped if the risks noted are within the Unit’s risk tolerance. This involves: 
    • Resolving false positives: False positives can occur when the vendor misunderstands a security question or insufficient evidence to confirm a security control is in place (e.g. information security policies, incident response plans, or vulnerability scan and penetration test reports). 
    • Obtaining remediation plans: A remediation plan details the vendor’s specific actions and clear completion dates for each identified risk. Integrate these plans into the contract to hold the Vendor accountable.
  • 2b) Accept: If remediation is not feasible, accepting the risk may be necessary. Remember that acceptance should be considered as a last resort, and the decision to accept risk is made in collaboration with your Unit Information Security Lead, as your Unit is ultimately accountable for these decisions.

 3) Document the Decision:

  • It’s important to document all risk-related decisions for accountability and future reference. While there is no mandated format, you may choose to use the Unit Head Risk Approval FormBe mindful that some fields in this form may not apply for Low or Medium risk ratings, as it is primarily designed for higher-risk vendor relationships requiring Unit Head and possibly CISO sign-off. If you choose not to use the Unit Head Risk Approval Form, ensure that your documentation includes the following minimum elements:
    • The risks being accepted from the VSA report.
    • Reasons for acceptance.
    • Potential impact of not accepting.
    • Summary of steps taken to try and remediate risks.

Topics