One of the key issues in correctly assessing and managing vendor risk is the ability to analyze the potential risk exposure of the vendor and execute the risk evaluation process accordingly.
The process should include:
-
- Understanding the business process
- Mapping potential data or processes at risk
- Analyzing business or operational impact upon vendor breach
- Aligning audited controls and categories
For example:
Vendor A is a small software development company, providing us services in 2 separate deals:
Deal 1:
Business owner: IT
The deal:
The vendor is providing outsourced code development services and processes employee data in an AWS environment in which a breach might cause major business disruptions and should be addressed in terms of security evaluation with the following, beyond traditional security audit:
-
- Assessment: Software provider – sensitive.
- IP exposure analysis: data encryption, employee privileges management, separation of environments, etc.
- Privacy related exposures: Private data handling, policies, and procedures, privacy compliance opinion, etc.
- Cloud security measures required: cloud security posture management, relevant certificates, etc.
- Timing and severity: the vendor might be assessed annually with a set of findings thresholds that will require high standards of security.
Deal 2:
Business owner: R&D
The deal:
Technical on site consulting regarding architecture of a planned website renewal of the company, Where no data is being stored by the vendor.
In this case, the assessment term might be minimal and include the following:
-
- Assessment: consulting
- IP exposure analysis: NDA execution, email security.
- Timing and severity: the vendor might be assessed once and with a set of findings thresholds that will require low standards of security.
Being able to orchestrate and automate the risk assessment requirements and analysis will enable a better understanding of the real exposure, an increase in vendor engagement and commitment and a dramatic reduction of security handling costs and risk evaluation accuracy.
Maintain holistic internal risk management
In order to streamline the ability to perform better security analysis and execute at scale, the following process elements should be addressed with your own organizational terminology.
-
- Vendor/Deal risk exposure mapping as indicated by business owners:
- Mapping of deal elements
- Mapping of business impact
- Mapping of potential assets exposed
- Security & privacy requirements:
- Vendor/Deal risk exposure mapping as indicated by business owners:
-
-
- Transformation of the initial vendor/deal mapping into an actionable assessment framework.
- Determination of benchmark and standards.
- Determination of repetitiveness.
- Determination of a minimal risk threshold for assessment execution.
-
Findings internal risk module
Findings enables you to streamline all internal risk elements into one process and customize your own business logic, policy and terminology as part of it.
The main capabilities provided as part of your account:
1. Business owner page
A customizable wizard enabling the following branded capabilities:
-
- Publication of your policy to your business owners across the enterprise
- New/existing Vendor requests
- A customizable vendor risk classification questionnaire
- An automated calculation of vendor internal risk score
- Automated triggering of security categories and controls for the assessment
- An automated pending vendor for security team

2. Vendor management
A comprehensive vendor management page for the security team, including:
-
- The ability to open, edit vendor details, send assessments and define vendor assessment policies
- Review and approval of business owner page results and the system assessment recommendations
- Self definition of vendor internal risk classification by a member of the security team
- Maintaining multiple business owner security page results for a single vendor
- Launching assessments in alignment with the business owner page results
IMPORTANT: The ability to maintain said multiple risk profiles allows the enterprise to assess and certify the vendor for multiple deals and reuse already finalized past assessments to match with new business owner requests.

How to:
Option 1: Your vendor management module : Vendor tab >> manage vendors >> select vendor >> Edit
Option 2: directly from the notification received from you BO page initiation
3. Notifications
Findings’ powerful notification engine enables the business owner to be notified on the various stages and processes following his/her request. The notifications, as always, are self customizable to your needs.
The standard notifications that the business owner will receive (is CCed to) include:
-
- The assessment sent to the vendor
- Notification and escalations of delays
- Vendor assessment finalization
- Security review completion
How to:
The notification editor can be found at Profile >> Manage organization >> Notifications
The combination of all Findings internal risk elements will provide you with a streamlined process, better business risk alignment, better security efficiency and service level to your internal stakeholders.
Give it a try or book a free demo session with our experts.