Vendors

Estimated reading: 11 minutes 2533 views

What is it?

Vendors are various companies from whom you have purchased software or services that you use to run your business.

For example, Microsoft, Salesforce, and Okta are vendors. One vendor can provide you with many Systems. For example, Microsoft is a vendor, and it provides you with many systems like Azure AD, Confluence, Office 365, etc.

Your Vendors page helps you conduct vendor risk assessments, manage your existing vendor relationships, and consolidate any potential documents that you were keeping elsewhere.

Third Party Risk Management (TPRA) or Vendor Risk Assessments

Note: This is currently available as an open beta. Contact us to get started.

Third-party risk assessments (TPRA) provide insights into the potential risks posed by your vendors. Comprehensive evaluations shed light on how your vendors handle your data and the associated threats. Undertaking these assessments is not only mandated by numerous standards but is also crucial in minimizing business disruptions by proactively addressing third-party risks.
In general, Third party assessments can be broken down into 4 steps: 

  1. Identification of Risks: Assess the potential threats and vulnerabilities introduced by engaging with an external vendor, considering factors such as data security, compliance, and operational risks.
  2. Due Diligence: Conduct thorough background checks on vendors, reviewing their security protocols, financial stability, and past performance to ensure they meet organizational standards. This is typically accomplished via a vendor risk assessment, a security questionnaire that is sent out to the vendor, or analysis of a vendor’s publish TrustShare profile.
  3. Continuous Monitoring: Implement ongoing oversight of vendor activities and performance, ensuring they remain compliant with contractual obligations and industry standards. Frequent risk assessments and due diligence contributes towards effective monitoring.
  4. Mitigation Strategies: Develop and implement strategies to address identified risks, including contingency plans, contractual clauses, and regular audits, to ensure vendor alignment with organizational objectives.

You can easily send, assess, and manage your vendors and assessments using TrustCloud’s Third-party risk management feature. Keep reading to learn more about how to send assessments, tailor your programs, and manage your workflow.

Getting Started 

To begin leveraging TrustCloud’s vendor risk management solution, a few housekeeping items should be taken care of ahead of sending that first risk assessment. Use the following 4 step process to get started:

  1. Create on Assessment Template or Upload your Existing Security Questionnaire via the Evaluation Templates Page: Navigate to the evaluation templates section to begin setting up forms that your vendors will be filling out. Leverage our assessment builder and use your common control framework to simplify the questions you are asking your vendors. Alternatively, upload any existing docs your company uses when conducting vendor assessments.
  2. Setup a Vendor Evaluation Tiers via the Settings Page: Evaluation tiers streamline your process by enabling workflow customization according to each vendor’s risk level. With tiers, you can define the business information required, the specific type of assessment to send, and the necessary data to collect.
  3. Assign a Tier to a Vendor via the My Vendors Page: Assign a tier to an existing vendor or create a new vendor with a tier in order to kick off the risk assessment process
  4. Add a Vendor Contact via the My Vendors Page: Add a vendor point of contact responsible for providing security and compliance details on behalf of the vendor
  5. Start a New Assessment via the My Vendors Page: Kick off the formal assessment by sending the forms out to the vendor
  6. Complete Assessment: Finalize your assessment based on the responses you have received from each vendor

Dashboard

Your Vendors Dashboard helps you keep an actionable business-wide view of your vendors, assessments, and risks. Using the dashboard, you can:

  1. Understand your “Vendor Risk Distribution”: the level of risk across your vendors business-wide. 
  2. See your “Assessment Requests”: see the status, start date, and owner of all active assessments.
  3. “Vendors By Department”: get a pulse of the amount of vendors across your business.
  4. “Vendor Risk by Data Classification”: understand where you’re at risk based on your data classifications
  5. “Top 5 Vendors at Risk”: keep tabs on the risk level of your most important vendors.
  6. Top Vendors for Programmatic Risk Assessments via TrustNetwork: view a live trust portal for your vendors for detailed information on their security and privacy posture.

TC Vendors Dashboard

This dashboard is interactive, so click on the risk distribution to deep dive into specific vendors.

To view the list of vendors

  1. Go to LHS “Vendors” menu
  2. Click on “My Vendors.” A list of all the active as well as disabled vendors is displayed.
    The following screenshot shows the list of all your vendors.
    TC Vendors List

Adding Vendors

Your vendor list is populated automatically after you add all of your systems to your system’s register. Based on your different system classifications, TrustCloud defaults to the data classifications on your Vendors page.

A step-by-step guide to adding a vendor

  1. To add more vendors to your register, click on the “+ New Vendor” button on the top right-hand side of the page.
  2. Select a vendor from the “Frequently Added Vendors” list, or you can search for vendor name in the search bar.
  3. Click on the “+ Add” button in front of the vendor name.
    The following screenshot shows the list of vendors to add.
  4. Enter Vendor Name, Vendor Website, Data Classification, Group, Vendor Owner, Vendor Tier, Assessment Owner, and select whether the vendor is a subprocessor.
    The following screenshot shows the vendor details page for adding a new vendor.
    TC Vendor Details After Adding Vendor

My Vendors

The Vendors page in TrustCloud allows you to view your vendors using different filters, search options, and views. You are quickly able to identify who the vendor is, what group or department they belong to, what tier they are a part of, the most recent ones, the risk rating, the status of the most recent risk assessment, whether the vendor is active or disabled, as well as who the account owner is.

TC My Vendors List

Vendor Details

Clicking on a row in the vendor table showcases key details for each vendor. You will be able to view relevant metadata about the vendor, such as what recent assessments were performed, documents connected, and systems connected, as well as enter relevant vendor contact information.

TC Vendor Details Zendesk

Assessments

Regular Risk assessments should be performed on each vendor based on business criticality, vendor tier, compliance requirements, etc. To begin a new assessment, click on the ‘New Assessment’ button and enter the details of the vendor contact responsible for filling out the responses. Make sure you have completed all the steps in the ‘Getting Started’ section before conducting your first assessment.

TC Start New Assessment

What Does the Vendor Need to Fill Out?

Each vendor, based on how you have configured the vendor tier, receives an email containing a security questionnaire, a list of documents they need to provide (SOC 2 report, pen test report, etc.), as well as details on where to submit the responses. Once each vendor has completed and returned the forms, navigate back to the open assessment and upload these retuned forms so records can be maintained in one place. Contact us if you are interested in exploring ways to automate this via an API.

Completing an Assessment

Once you have received responses from a vendor, navigate to the open assessment under each vendor’s page and begin filling out the evaluation form. The following details will be captured during this process:

  1. Vendor Overview and contact information for the person assessing the vendors responses
  2. Business Information about the vendor, including name, HQ location, terms of service, etc.
  3. Risk Surface Details, including whether this vendor is processing PII or PHI, etc.
  4. Compliance reports and certifications the vendor may adhere to
  5. Documents and policies that the vendor provided
  6. A final summary and assessment where you will document the final risk rating as well as note any gaps or comments. This action will close the assessment and showcase the relevant risk rating on the dashboard and vendor details pages

TC New Risk Assessment

Edit Vendor

To edit vendor details,

  1. Click on the three-dot icon in the right corner.
  2. From the drop-down menu, click on “Edit Details.”

On this details page, you can add or edit:

  1. Vendor Name
  2. Vendor Tier
  3. A vendor’s website
  4. Group
  5. Data Classification
  6. Is a subprocessor
  7. A location
  8. Certifications
  9. A description of the purpose
  10. Link to the vendor’s terms of service
  11. Link to the vendor’s privacy policy
  12. Link to the vendor’s security page

Additionally, you can add tags to each vendor, add documents or links, and add vendor contact information.

The systems that the specific vendor is mapped to are listed under the ‘Systems’ section. If you believe something is missing, double-check that all of the relevant systems have been added.

Disabling Vendors

Disabling a vendor denotes that you don’t use this vendor anymore. A disabled vendor still exists in your archive and is not deleted permanently.

A step-by-step guide to disabling a vendor

  1. Click on the three-dot icon in the right corner.
  2. From the drop-down menu, click on the “Disable Vendor” button.
  3. Enter a reason for disabling the vendor and mark the checklist of compliance requirements for disabling a vendor.
  4. Click on the “Disable” button.
  5. The dialogue box opens; fill in the “Reason for disabling” and “I acknowledge that” fields.
  6. Click on the “Disable” button.
    The following screenshot shows the disabling vendor functionality.
    TC Disable Vendor 01 1
  7. To view disabled vendors,
    1. Select the filters on the main vendor page and check the ‘Disabled’ box.

Assessment Templates

TrustCloud supports the creation of programmatic vendor assessment templates that connect to your existing common control framework, making evaluation and submission easier. The option to bring your own questionnaire also exists, should you want to use your existing documentation.

From the left-hand side menu, go to “Vendors” and click on “Assessment Templates.”

The following screenshot shows the list of all assessment templates.

TC Assessment Templates 01 1

  1. Click on the “+ New Template” button. The following dialogue box is displayed:
    TC New Assessment Template Dialougue 1

Building a Programmatic Assessment Template in TrustCloud 

Add a new assessment template by clicking “+ New Template” in the top right corner. From here, you can follow the prompts to easily create questionnaires that map directly to the controls you want to test your vendor against. By mapping your assessment to your controls, you enable programmatic risk calculations, gap analysis, and auto-fill vendor responses.

Uploading Custom Assessment Templates

Upload your organization’s existing assessment templates or vendor questionnaires directly to the Assessment templates portal to streamline your vendor assessment process. 

  1. Enter “TemplateName”.
  2. Upload the template file.
  3. Click on “Add Template” button.

The following screenshot shows the “Upload Your Own Template” dialogue box.

TC Uploading New Assessment Template

Editing, Downloading or Deleting an Existing Template

You can edit, download, or delete an existing template by navigating to the three dots in the top right corner of an existing template. Please note that any changes made to a template will impact new assessments only.

Once your assessment template is uploaded, you can see it in the Assessment Templates module and link it to a vendor tier. 

Settings and Vendor Tiers

Evaluation tiers streamline your process by enabling workflow customization according to each vendor’s risk level. With tiers, you can define the business information required, the specific type of assessment to send, and the necessary data to collect. After establishing your vendor tiers in TrustCloud, the platform automates your workflow based on each vendor’s designated tier—ensuring a consistent, hassle-free assessment process every time. We recommend customizing your tiers before you send assessments. 

Creating a New Tier

  1. From the left-hand side menu, select “Settings”
  2. Click on the “+ New Tier” button in the top right and follow the prompts to create your evaluation tier. 
    1. Name your tier and click on “Create Tier”
    2. Set the parameters that define which vendors fall into this tier
      1. What is the impact if vendors in this tier fail?
      2. What is the maximum level of risk tolerance for vendors in this tier?
      3. How critical are vendors in this tier to business operations?
      4. What kind of data do vendors in this tier typically store and/or process?
      5. How frequently should vendors in this tier be assessed?
        TC Add New Tier 01 1
  3. Go to “Business Information” tab to determine what business information you would like to mark as required or optional.
    TC Add Tier Business Information 02 1
  4. Go to “Risk Surface” tab to set your risk surface like shown in following screenshot.
    TC New Tier Risk Surface 1
  5. Go to “Compliance” tab, to determine if you will require reports, if so select which you will require.
    TC Add Tier Compliance 1
  6. Go to “Documents” tab to identify which documents you will require.
    TC Add Tier Documents 1
  7. Go to “Security & Privacy” tab to select the additional questions you need vendors in this tier to answer.
    TC Add Tier Security And Privacy 1

Once you have customized and saved your Evaluation Tier, you can begin assigning tiers to your new and existing vendors. 

Editing or Deleting an Existing Tier

You can always edit tiers by selecting the pencil icon located on the right of each Assessment Tier module. You can delete tiers using the trash icon. If you delete or edit a tier, this will automatically be mapped to your associated vendors however changes to required docs will only impact new assessments. 

Video: Vendors

Join the conversation

ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
OR