- January 16, 2024: Added suggested tiers.
- May 18, 2022: Now available to all TPRM customers.
- January 13, 2021: Relationship Details combined with Company Info when viewing your My Company or My Subsidiary.
Tiering is one of the first steps in the TPRM process and it sets the stage for everything that follows.
This feature is available to all TPRM customers.
- Apply global or group tiers.
- Global Tiers: All companies for all users.
- Group Tiers: Set up tiers that are specific to Access Control Groups.
- Configure up to 5 tiers with custom names and descriptions.
- Configure companies in your portfolio into tiers.
- Assign an assessment to a tier.
The Tier Settings page (formerly known as “Manage Tiers”) allows you to set risk thresholds for your tiers, as visually depicted by the Portfolio Risk Matrix.
The Tier Settings page is only visible to users that have tier management permissions. See tiering user permissions.
Refer to the
/tiers API endpoint to configure tiers via the Bitsight API.
Use the Create Tier link below the tiers to create a new tier. There can be up to 5 tiers.
Click and drag a tier to re-order tiers from highest to lowest criticality and security risk.
To set up group tiers, an Admin must enable the Company Details option for your group from the Groups tab. The Manage Group Tiers/Restore Global Tiers button will then be available at the top-right of the Tier Settings page. Once tiers are set up, the Portfolio Risk Matrix is automatically displayed in your dashboard.
We suggest creating the following tiers:
- Tier 1: Critical. Vendors who are essential to your business, have direct or indirect connections into your network, are responsible for sensitive or regulated information, or with whom you have significant financial investments
- Tier 2: High. Vendors with partial access to highly sensitive data or your network. The use of these vendors impacts daily operations, but service interruptions may not stop operations completely.
- Tier 3: Medium/Low. Vendors with partial access to systems with whom you have limited financial investment. Daily operations can continue without these vendors for short periods.
Adding Companies Into Tiers
To add (or remove) a company to a tier:
- Use the Companies List page to search for companies to edit.
- Edit from the Relationship Details panel.
|Edit the tier details, set risk thresholds, and assign assessment.
Edit the name and description of the tier or add companies to the tier. A company can be assigned to one tier at a time.
|Set the security rating risk thresholds for companies in this tier to determine the tier’s position in the Action Plan.
|Select an uploaded assessment to automatically associate with companies in this tier.
|Delete a tier.
|Configure alerts for a tier.
The tier recommender helps make intelligent decisions around tiering and makes onboarding new vendors to your Third Party Risk Management (TPRM) program faster.
Tier recommendations are based on:
- Network intelligence via the Bitsight inventory.
- Machine learning that provides insight into the best practices of over 30k tiered companies (and growing).
Combined, we’re able to bring intelligent recommendations to the vendor tiering process with a model that gets better and smarter over time.
Recommendations can be accessed if you have tiers set up for your account. They can be accessed at all the key points in the Tiering workflow for a selected company, including at the time of subscription, from the Relationship Details panel of a company's Overview page, or from the Portfolio page.
Configure your third parties into tiers from the following pages:
|Access Control: Groups Tab
|If you’re an Admin, use the Groups tab in the Access Control page to enable tiering for groups.
|Portfolio Risk Matrix
|Access the Tier Settings page from the Edit Tiers and Thresholds link at the top-right of the Portfolio Risk Matrix.
|Select Edit in the Company Information sheet on the right.