Vendors

What is it?

Vendors are various companies from whom you have purchased software or services that you use to run your business.

For example, Microsoft, Salesforce, and Okta are vendors. One Vendor can provide you with many Systems (link to Systems page). For example, Microsoft is a vendor, and it provides you with many systems like Azure AD, Confluence, Office 365, etc.

Your Vendors page helps you conduct vendor risk assessments, manage your existing vendor relationships, and consolidate any potential documents that you were keeping elsewhere.

Third Party Risk Management (TPRA) or Vendor Risk Assessments

Note: This is currently available as an open beta. Contact us to get started.

Third-party risk assessments (TPRA) provide insights into the potential risks posed by your vendors. Comprehensive evaluations shed light on how your vendors handle your data and the associated threats. Undertaking these assessments is not only mandated by numerous standards but is also crucial in minimizing business disruptions by proactively addressing third-party risks.
In general, Third party assessments can be broken down into 4 steps: 

Adding Vendors

Your vendor list is populated automatically after you add all of your systems to your System’s Register. Based on your different system classifications, TrustCloud defaults to the data classifications on your Vendors page.

A step-by-step guide to adding a vendor

• To add more vendors to your register, simply click on the “+Add New Vendor” button.
• Add Vendor Name, Website, Owner, Data Classification, and Group.
• Select whether the vendor is a subprocessor.

My Vendors

The Vendors page in TrustCloud allows you to view your Vendors using different filters, search options, and views. You are quickly able to identify who the vendor is, what group/department they belong to, what tier they are a part off, the most recent. risk rating, the status of the most recent risk assessment, whether the vendor is active or disabled, as well as who the account owner is. 

Vendor Details

Clicking on a row in the vendor table showcases key details for each vendor. You will be able to view relevant metadata about the vendor, what recent assessments were performed, documents connected, systems connected, as well as enter relevant vendor contact information.

Assessments

Regular Risk assessments should be performed on each vendor based on business criticality, the vendor tier, compliance requirements etc. To begin a new assessment, click on the ‘New Assessment’ button and enter the details of the vendor contact responsible for filling our the responses. Make sure you have completed all the steps in the ‘Getting Started’ section before conducting your first assessment.

What Does the Vendor Need to Fill Out

Each vendor, based on how you have configured the vendor tier, receives an email containing a security questionnaire, a list of documents they need to provide (SOC 2 report, pen test report etc.), as well as details on where to submit the responses. Once each vendor has completed and returned the forms, navigate back to the open assessment and upload these retuned forms so records can be maintained in once place. Contact us if you are interested in exploring ways to automate this via an API.

Completing an Assessment

Once you have received responses back from a vendor, navigate to the open assessment under each vendor’s page and begin filling out the evaluation form. The following details will be captured during this process:

1. Vendor Overview and the contact information for the person assessing the vendors responses
2. Business Information about the vendor including name, HQ location, terms of service etc.
3. Risk Surface Details including whether this vendor is process PII or PHI etc.
4. Compliance reports and certifications the vendor may adhere to
5. Documents and policies that the vendor provided
6. A final summary and assessment where you will document what the final risk rating as well as note any gaps or comments. This action will close the assessment and showcase the relevant risk rating on the dashboard and vendor details pages

Edit Vendor

To edit vendor details,

1. Click on the three-dot icon in the right corner.
2. From the drop-down menu, click on “Edit Details”.

On this details page, you can add or edit:

1. A vendor’s website
2. A location
3. A description of the purpose
4. Link to the vendor’s terms of service
5. Link to the vendor’s privacy policy
6. Link to the vendor’s security page
7. Change the data classification.
8. Change the group/department.

Additionally, you can add tags to each vendor, add documents or links, and add vendor contact information.

The systems that the specific vendor is mapped to are listed under the ‘Systems’ section. If you believe something is missing, double-check that all of the relevant systems have been added.

Disabling Vendors

Disabling a vendor denotes that you don’t use this vendor anymore. A disabled vendor still exists in your archive and is not deleted permanently.

A step-by-step guide to disabling a vendor

1. Click on the three-dot icon in the right corner.
2. From the drop-down menu, click on the “Disable Vendor” button.
3. Enter a reason for disabling the vendor and mark the checklist of compliance requirements for disabling a vendor.
4. Click on the “Disable” button.
5. To view disabled vendors
   1. Select the filters on the main vendor page and check the ‘Disabled’ box.

Assessment Templates

TrustCloud supports the creation of programmatic vendor assessment templates that connect to your existing common control framework making evaluation and submission easier. The option to bring your own questionnaire also exists should you want to use your existing documentation.

Building a Programmatic Assessment Template in TrustCloud 

Add a new assessment template by click “+ New Template” in the top right corner. From here, you can follow the prompts to easily create questionnaires that map directly to the controls you want to test your vendor against. By mapping your assessment to your controls you enable programmatic risk calculations, gap analysis, and auto-fill vendor responses. 

Uploading a Custom Assessment Templates

Upload your organizations existing assessment templates/vendor questionnaires directly to the Assessment templates portal to streamline your vendor assessment process. 

Editing, Downloading or Deleting an Existing Template

You can edit, download, or delete an existing template by navigating to the three dots in the top right corner of an existing template. Please note that any changes made to a template will impact new assessments only.

Once your assessment template is uploaded, you can see it in the Assessment Templates module and link it to a vendor tier. 

Settings and Vendor Tiers

Evaluation tiers streamline your process by enabling workflow customization according to each vendor’s risk level. With tiers, you can define the business information required, the specific type of assessment to send, and the necessary data to collect. After establishing your vendor tiers in TrustCloud, the platform automates your workflow based on each vendor’s designated tier—ensuring a consistent, hassle-free assessment process every time. We recommend customizing your tiers before you send assessments. 

Creating a New Tier

Click on the ‘Add Tier’ button in the top right and follow the prompts to create your evaluation tier. 

1. Name your tie
2. Set the parameters that define which vendors fall into this tier
   • Failure impact
   • Level of risk tolerance
   • Criticality
   • Data classification
   • Evaluation frequency
3. Determine what business information you would like to mark as required or optional
4. Set your risk surface
5. Determine if you will require reports, if so select which you will require
6. Identify which documents you will require
7. Select the associated questionnaire(s) for this tier

Once you have customized and saved your Evaluation Tier, you can begin assigning tiers to your new and existing vendors. 

Editing or Deleting an Existing Tier

You can always edit tiers by selecting the “pencil” icon located on the righ of each Assessment Tier module. You can delete tiers using the trash icon. If you delete or edit a tier, this will automatically be mapped to your associated vendors however changes to required docs will only impact new assessments.