Vendor Risk Flashcards
What are the 6 key capabilities for VRM?
Vendor Portfolio, Vendor Tiering, Assessment Mgt, Vendor Portal, Issues and Remediation, GRC Integration
What is the Vendor Portfolio
Database of vendors and vendor info including contacts, biz svc and other.
What table contains the vendor info
Company (core_company) (extended)
What is Vendor Tiering
Vendor tiering is used in VRM to help orgs effectively assess vendors at right time .
What is vendor tiering score for
Allows orgs to better manage the vendor relationship
What is used to create a vendor tiering assessment
a Tiering questionnaire template
Who completes the vendor tiering assessment
Internal assessors
What is Assessment Management (high level - what does it allow orgs to do?)
Allows orgs to create templates for assessments with varying content and recurrence intervals based on vendor tier.
What are the 2 types of questionnaires
Proprietary ones created using the visual designer or Built in shared assessments.
What is an example of a shared assessment (vs. a proprietary one)
Standardized Information Gathering questionnaire
How are assessment responses scored
Automatically using a robust hierarchical weighted scoring framework that can be tailored to meet customer requirements
What is the Vendor Portal
Centralized location for all vendor interaction and communication
What does the vendor portal provide
Visibility into what needs to get done by when, who is assigned, and status for vendor stakeholders
What are Issues and Remediation used for in VRM
Issues can be created based on assessment responses and design remediation plans and share them with vendors
How are VRM and GRC integrated
Link control objectives with questions in a questionnaire template, inadequate vendor responses can automatically mark controls as non-compliant.
What is the benefit of the VRM to GRC integration
Top down traceability from an authority doc to the question in a questionnaire for a specific vendor. Non compliant controls can automatically adjust residual scores of risks associated with the vendor, which are then rolled up into other IT and operational risks.
VRM Benefits (5)
1) Gain efficiencies through automation of routine processes and risk scoring, 2) Reduce risk exposure with integrated view of risk, reporting and vendor tiering, 3) respond to high risk vendors with consistent assessment and remediation process 4) increase communication and collaboration (portal) 5) Leverage a unified platform to provide more comprehensive definition and proactive approach to managing risk, compliance and security
Explain cyclical vendor assessment process
1) Request comes to risk mgt team. 2) initial tiering process is performed to determine inherent risk of 3rd party 3) Assessment chosen to match the tier and sent to vendor 4) When responses received, risk analyst generates findings and reviews with SMEs for actions 5) Issues are shared with vendor 6) Based on findings and status of issues, residual risk of 3rd party is determined and reported out 7) 3rd party is monitored and events such as incidents or negative reputation reports are triaged.
Assessment process repeats periodically until company no longer does business with the vendor/3rd party
What determines frequency or period between assessments in the cyclical vendor assessment process
policy or regulatory requirements
What are the 6 steps in the VRM process
Tier, Assess, Generate Findings, Remediate issues, Report risks, monitor
What are the. components of the Tier step of the VRM process
Internal tiering assessment, Security scorecard integration
What are the components of the Assess step of the VRM process
Assessments, security scorecard integration
What are the components of the Generate Findings step of the VRM process
Vendor Portal
What are the components of the Remediate Issues step of the VRM process
Issue Management, Remediation workflow
What are the components of the Report Risks step of the VRM process
GRC integration
What are the components of the Monitor step of the VRM process
Security score submission, Tier based submission, repeating assessments
What are the states for the Vendor Tiering lifecycle
Draft, Awaiting Response, Tiering Assignment, Closed
How is Vendor Tiering used
To classify vendors into categories of potential risk, determined at the time of onboarding
Vendor tiering - internal or external survey?
internal
What are the vendor tiers
none, minor, low, moderate, high, critical
What are the states for the Vendor Risk Assessment lifecycle
Draft, submitted to vendor, responses received, generating observations, finalizing with vendor, closed
What are the 2 components combined to make a Vendor Risk assessment
Assessment Template and a vendor
What are the 2 components combined to make an Assessment Template
Questionnaire Template and a Document Request Template
What is contained in the vendor portal
assessments, contacts, deadlines, issues and remediation
What happens in Assessment Management via the portal ?
this is on test per Rick’s notes
Respond to Questionnaires and Doc requests submitted as assessments. SIG is supported. Questions are parsed and managed individually with status for each question tracked to completion
What happens with Issues and Tasks via the portal
Create and delegate vendor issues and tasks, provide vendor with access to update and respond, assign tasks to team members to support resolution
What happens with Vendor contact management in the portal?
Distribute vendor contact management to drive issues and assessments closure. Delegate contact management to primary vendor contact, assign responses and tasks to vendor team members
What are some criteria/methods for determining if an assessment is to be created
tier based, score based, default vendor tiering scale, default risk rating scale
What table are vendor contacts stored in and from where is it extended
vm_vdr_contact extended from sys_user
What table are vendor risk issues stored in and from where is it extended
sn_vdr_risk_asmt_issue extended from sn_grc_issue
What is the name of the Vendor risk module
com.sn_vdr_risk_asmt
What are the internal roles
Vendor Risk Manager (sn_vdr_risk_asmt.vendor_risk_manager), Vendor Risk Assessor (sn_vdr_risk_asmt.vendor_assessor), Vendor Risk Reviewer (sn_vdr_risk_asmt.vendor_assessment_reviewer)
What is the Vendor Risk Manager role for
Manage vendors, contacts, assessment templates, questionnaire templates, doc request templates and scheduled assessments.
What roles does the Vendor Risk Manager contains
Vendor Risk Assessor and Vendor Risk Reviewer