Playbook
Vendor Risk Playbook
Security
6 min read
The 2-tier model
- Tier 1 (data processor, SSO, prod-connected): full review — SOC 2, pen test, DPA, sub-processor list
- Tier 2 (non-sensitive SaaS): lightweight — SSO enforced, MFA, contract
The 20-minute review
Use a standard questionnaire. If clean in 20 minutes, approve.
Common trap
Blocking every tool by default. Security's job is to make the safe path the easy path.
Newsletter
The Operator Memo
Bi-weekly notes on fractional hiring and executive playbooks.
No spam · Unsubscribe anytime