fbpx

How to align the vendors objective and internal risk profile

One of the key issues in correctly assessing and managing vendor risk is the ability to analyze the potential risk exposure of the vendor and execute the risk evaluation process accordingly.

The process should include:

    • Understanding the business process
    • Mapping potential data or processes at risk 
    • Analyzing business or operational impact upon vendor breach
    • Aligning audited controls and categories

For example:
Vendor A is a small software development company, providing us services in 2 separate deals:

Deal 1:

Business owner: IT

The deal:

The vendor is providing outsourced code development services and processes employee data in an AWS environment in which  a breach might cause major business disruptions and should be addressed in terms of security evaluation with the following, beyond traditional security audit:

    • Assessment: Software provider – sensitive.
    • IP exposure analysis: data encryption, employee privileges management,  separation of environments, etc.
    • Privacy related exposures: Private data handling, policies, and procedures, privacy compliance opinion, etc.
    • Cloud security measures required: cloud security posture management, relevant certificates, etc.
    • Timing and severity: the vendor might be assessed annually with a set of findings thresholds that will require high standards of security.

Deal 2: 

Business owner: R&D

The deal:

Technical on site consulting regarding architecture of a planned website renewal of the company, Where no data is being stored by the vendor.

In this case, the assessment term might be minimal and include the following:

    • Assessment: consulting
    • IP exposure analysis: NDA execution, email security.
    • Timing and severity: the vendor might be assessed once and with a set of findings thresholds that will require low standards of security.

Being able to orchestrate and automate the risk assessment requirements and analysis will enable a better understanding of the real exposure, an increase in vendor engagement and commitment and a dramatic reduction of security handling costs and risk evaluation accuracy.

 

Maintain holistic internal risk management

In order to streamline the ability to perform better security analysis and execute at scale, the following process elements should be addressed with your own organizational terminology.

    1. Vendor/Deal risk exposure mapping as indicated by business owners:
      • Mapping of deal elements
      • Mapping of business impact
      • Mapping of potential assets exposed
    2. Security & privacy requirements:

      • Transformation of the initial vendor/deal mapping into an actionable assessment framework.
      • Determination of benchmark and standards.
      • Determination of repetitiveness.
      • Determination of a minimal risk threshold for assessment execution.

 

Findings internal risk module

Findings enables you to streamline all internal risk elements into one process and customize your own business logic, policy and terminology as part of it.

The main capabilities provided as part of your account:

1. Business owner page

A customizable wizard enabling the following branded capabilities:

    • Publication of your policy to your business owners across the enterprise
    • New/existing Vendor requests
    • A customizable vendor risk classification questionnaire 
    • An automated calculation of vendor internal risk score
    • Automated triggering of security categories and controls for the assessment
    • An automated pending vendor for security team

2. Vendor management

A comprehensive vendor management page for the security team, including:

    • The ability to open, edit vendor details, send assessments and define vendor assessment policies
    • Review and approval of business owner page results and the system assessment recommendations
    • Self definition of vendor internal risk classification by a member of the security team
    • Maintaining multiple business owner security page results for a single vendor
    • Launching assessments in alignment with the business owner page results

IMPORTANT: The ability to maintain said multiple risk profiles allows the enterprise to assess and certify the vendor for multiple deals and reuse already finalized past assessments to match with new business owner requests.

How to:

Option 1: Your vendor management module :  Vendor tab >> manage vendors >> select vendor >> Edit

Option 2: directly from the notification received from you BO page initiation

3. Notifications

Findings’ powerful notification engine enables the business owner to be notified on the various stages and processes following his/her request. The notifications, as always, are self customizable to your needs.

The standard notifications that the business owner will receive (is CCed to)  include:

    • The assessment sent to the vendor
    • Notification and escalations of delays
    • Vendor assessment finalization 
    • Security review completion

How to:

The notification editor can be found at Profile >> Manage organization >> Notifications

The combination of all  Findings internal risk elements will provide you with a streamlined process, better business risk alignment, better security efficiency and service level to your internal stakeholders.

Give it a try or book a free demo session with our experts.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!