Vendor Risk

Question 1

What are the 6 key capabilities for VRM?

Answer 1

Vendor Portfolio, Vendor Tiering, Assessment Mgt, Vendor Portal, Issues and Remediation, GRC Integration

Question 2

What is the Vendor Portfolio

Answer 2

Database of vendors and vendor info including contacts, biz svc and other.

Question 3

What table contains the vendor info

Answer 3

Company (core_company) (extended)

Question 4

What is Vendor Tiering

Answer 4

Vendor tiering is used in VRM to help orgs effectively assess vendors at right time .

Question 5

What is vendor tiering score for

Answer 5

Allows orgs to better manage the vendor relationship

Question 6

What is used to create a vendor tiering assessment

Answer 6

a Tiering questionnaire template

Question 7

Who completes the vendor tiering assessment

Answer 7

Internal assessors

Question 8

What is Assessment Management (high level - what does it allow orgs to do?)

Answer 8

Allows orgs to create templates for assessments with varying content and recurrence intervals based on vendor tier.

Question 9

What are the 2 types of questionnaires

Answer 9

Proprietary ones created using the visual designer or Built in shared assessments.

Question 10

What is an example of a shared assessment (vs. a proprietary one)

Answer 10

Standardized Information Gathering questionnaire

Question 11

How are assessment responses scored

Answer 11

Automatically using a robust hierarchical weighted scoring framework that can be tailored to meet customer requirements

Question 12

What is the Vendor Portal

Answer 12

Centralized location for all vendor interaction and communication

Question 13

What does the vendor portal provide

Answer 13

Visibility into what needs to get done by when, who is assigned, and status for vendor stakeholders

Question 14

What are Issues and Remediation used for in VRM

Answer 14

Issues can be created based on assessment responses and design remediation plans and share them with vendors

Question 15

How are VRM and GRC integrated

Answer 15

Link control objectives with questions in a questionnaire template, inadequate vendor responses can automatically mark controls as non-compliant.

Question 16

What is the benefit of the VRM to GRC integration

Answer 16

Top down traceability from an authority doc to the question in a questionnaire for a specific vendor. Non compliant controls can automatically adjust residual scores of risks associated with the vendor, which are then rolled up into other IT and operational risks.

Question 17

VRM Benefits (5)

Answer 17

1) Gain efficiencies through automation of routine processes and risk scoring, 2) Reduce risk exposure with integrated view of risk, reporting and vendor tiering, 3) respond to high risk vendors with consistent assessment and remediation process 4) increase communication and collaboration (portal) 5) Leverage a unified platform to provide more comprehensive definition and proactive approach to managing risk, compliance and security

Question 18

Explain cyclical vendor assessment process

Answer 18

1) Request comes to risk mgt team. 2) initial tiering process is performed to determine inherent risk of 3rd party 3) Assessment chosen to match the tier and sent to vendor 4) When responses received, risk analyst generates findings and reviews with SMEs for actions 5) Issues are shared with vendor 6) Based on findings and status of issues, residual risk of 3rd party is determined and reported out 7) 3rd party is monitored and events such as incidents or negative reputation reports are triaged.
Assessment process repeats periodically until company no longer does business with the vendor/3rd party

Question 19

What determines frequency or period between assessments in the cyclical vendor assessment process

Answer 19

policy or regulatory requirements

Question 20

What are the 6 steps in the VRM process

Answer 20

Tier, Assess, Generate Findings, Remediate issues, Report risks, monitor

Question 21

What are the. components of the Tier step of the VRM process

Answer 21

Internal tiering assessment, Security scorecard integration

Question 22

What are the components of the Assess step of the VRM process

Answer 22

Assessments, security scorecard integration

Question 23

What are the components of the Generate Findings step of the VRM process

Answer 23

Vendor Portal

Question 24

What are the components of the Remediate Issues step of the VRM process

Answer 24

Issue Management, Remediation workflow

Question 25

What are the components of the Report Risks step of the VRM process

Answer 25

GRC integration

Question 26

What are the components of the Monitor step of the VRM process

Answer 26

Security score submission, Tier based submission, repeating assessments

Question 27

What are the states for the Vendor Tiering lifecycle

Answer 27

Draft, Awaiting Response, Tiering Assignment, Closed

Question 28

How is Vendor Tiering used

Answer 28

To classify vendors into categories of potential risk, determined at the time of onboarding

Question 29

Vendor tiering - internal or external survey?

Answer 29

internal

Question 30

What are the vendor tiers

Answer 30

none, minor, low, moderate, high, critical

Question 31

What are the states for the Vendor Risk Assessment lifecycle

Answer 31

Draft, submitted to vendor, responses received, generating observations, finalizing with vendor, closed

Question 32

What are the 2 components combined to make a Vendor Risk assessment

Answer 32

Assessment Template and a vendor

Question 33

What are the 2 components combined to make an Assessment Template

Answer 33

Questionnaire Template and a Document Request Template

Question 34

What is contained in the vendor portal

Answer 34

assessments, contacts, deadlines, issues and remediation

Question 35

What happens in Assessment Management via the portal ?

this is on test per Rick’s notes

Answer 35

Respond to Questionnaires and Doc requests submitted as assessments. SIG is supported. Questions are parsed and managed individually with status for each question tracked to completion

Question 36

What happens with Issues and Tasks via the portal

Answer 36

Create and delegate vendor issues and tasks, provide vendor with access to update and respond, assign tasks to team members to support resolution

Question 37

What happens with Vendor contact management in the portal?

Answer 37

Distribute vendor contact management to drive issues and assessments closure. Delegate contact management to primary vendor contact, assign responses and tasks to vendor team members

Question 38

What are some criteria/methods for determining if an assessment is to be created

Answer 38

tier based, score based, default vendor tiering scale, default risk rating scale

Question 39

What table are vendor contacts stored in and from where is it extended

Answer 39

vm_vdr_contact extended from sys_user

Question 40

What table are vendor risk issues stored in and from where is it extended

Answer 40

sn_vdr_risk_asmt_issue extended from sn_grc_issue

Question 41

What is the name of the Vendor risk module

Answer 41

com.sn_vdr_risk_asmt

Question 42

What are the internal roles

Answer 42

Vendor Risk Manager (sn_vdr_risk_asmt.vendor_risk_manager), Vendor Risk Assessor (sn_vdr_risk_asmt.vendor_assessor), Vendor Risk Reviewer (sn_vdr_risk_asmt.vendor_assessment_reviewer)

Question 43

What is the Vendor Risk Manager role for

Answer 43

Manage vendors, contacts, assessment templates, questionnaire templates, doc request templates and scheduled assessments.

Question 44

What roles does the Vendor Risk Manager contains

Answer 44

Vendor Risk Assessor and Vendor Risk Reviewer

Question 45

What is the Vendor Risk Assessor role for

Answer 45

Manage Vendors, contacts, assessments and issues.

Question 46

What roles does the Vendor Risk Assessor contain

Answer 46

Vendor Risk Reviewer

Question 47

What is the Vendor Risk Reviewer for

Answer 47

Reviews and edits vendor assessments.

Question 48

What are the external roles installed with VRM

Answer 48

Vendor contact (vendor_contact)

Question 49

What is the Vendor Contact role for

Answer 49

Answers questionnaires, may own remediation tasks. Primary contacts are responsible for assessments and can manage other contacts,

Question 50

T or F Vendor contacts are in sys_user

Answer 50

True

Question 51

What role do vendor contacts automatically have

Answer 51

snc_external

Question 52

Who gets snc_internal

Answer 52

All existing users when GRC:VRM is installed

Question 53

What are 5 config steps for VRM

Answer 53

Populate vendors, clean data, populate contacts, assign primary contacts, tier vendors

Question 54

How can you clean the vendor data

Answer 54

Field normalization rules, data import/transform, fix scripts.

Question 55

How do you use field normalization in cleanup

Answer 55

Activate the separate plugin

Question 56

What are the 3 tier rating values on vendor record

Answer 56

Risk rating, Rank Tier, Vendor Tier

Question 57

???Which rating tier values are set manually by customer

Answer 57

Risk Rating, Rank tier and OPTIONALLY Vendor Tier - see Impl Class p49

Question 58

With the VRM to GRC integration, what are the Related lists added to the Company/Vendor table

Answer 58

Entity Types, Risks, Controls

Question 59

What is table name for the tiering assessment

Answer 59

sn_vdr_risk_asmt_vdr_tiering_assessment

Question 60

What is table name for the tiering questionnaire template

Answer 60

asmt_metric_type

Question 61

Where are Questionnaire and Doc Requests templates stored

Answer 61

Assessment Metric Type table - asmt_metric_type

Question 62

Where are assessment categories stored

Answer 62

Assessment Metric Category table - asmt_metric_category

Question 63

Where are the questions stored

Answer 63

Assessment Metric table - asmt_metric

Question 64

If a question in an assessment has choices/answers, where are those stored

Answer 64

Assessment Metric Definitions table - amst_metric_definition

Question 65

What is the internal term for a question on a questionnaire?

Answer 65

Assessment metric

Question 66

How can you connect parts of the assessment to GRC?

Answer 66

Assessment metrics/questions (within categories that fall under questionnaires or metric types) can be related to policy statements prior to conducting an assessment

Question 67

T or F - Document Requests have a risk score

Answer 67

F - they have a risk rating (H, Medium, L)

Question 68

What determines document requests risk rating

Answer 68

Answer to first question (do you have document…)

Question 69

What are the SIG levels

Answer 69

Lite (non-crit), Core (Biz Crit), Full (situation specific additions to core or lite), Master (repository of completed Sig ?s and correct answers)

Question 70

What is module name for Sig Questionnaire integration

Answer 70

com.sn_sig_asmt

Question 71

What are 3 ways vendor risk assessments are created

Answer 71

manual, vendor tiering (auto) and vendor security scoring (auto)

Question 72

Where are repeating assessments stored

Answer 72

Repeating assessment table - sn_vdr_risk_asmt_repeating_assessment

Question 73

What determines Risk rating on Vendor Risk Assessment

Answer 73

Rollup from individual questionnaires and doc requests

Question 74

?? How is Assessment rating calculated ??

Answer 74

Not stored in database. getBusinessServiceCriticality will find most crit biz svc and use the weight from that rating scale record. ?? I don’t get this.

Question 75

What happens during the Generating Observations state of the Vendor Risk Assessment lifecycle

Answer 75

An assessor generates observations which may create issues.

Question 76

What table store vendor risk assessments, extended from..

Answer 76

Vendor Risk Assessment - sn_vdr_risk_asmt_assessment, extended from planned_task

Question 77

What can cause issues to be auto-generated

Answer 77

Issue Generation rules - based on incorrect responses for selected questions

Question 78

What are states of the Vendor Risk Issue lifecycle

Answer 78

New, Analyze, Submitted to Vendor, Finalize with Vendor, Review, Closed

Question 79

What table stores vendor risk issues, extended from

Answer 79

Vendor Risk Issue - sn_vdr_risk_asmt_issue - extended from sn_grc_issue (extended from planned_task?)

Question 80

What are steps for a vendor risk issue remediation

Answer 80

Create task, accept issue, request addnl info, vendor to remediate

Question 81

What can be used to track the steps to address issues?

Answer 81

tasks

Question 82

Who can be assigned tasks created from issues

Answer 82

internal or external individuals

Question 83

Where are tasks created from vendor risk issues stored

Answer 83

Vendor Risk Task - sn_vdr_risk_asmt_task

Question 84

What can a vendor risk issue be related to

Answer 84

Vendor, Vendor Risk Asmt, Question in a questionnaire in a Vendor Risk Asmt

Question 85

Integration touchpoint with GRC P&C

Answer 85

Vendor Risk Issue table will have a policy exception related list

Question 86

What is the vendor risk task lifecycle

Answer 86

New, Submitted to Vendor, Work in Progress, Review, Closed

Question 87

** How can someone that is a Vendor Assessment Reviewer create a task? They cannot see the Filter Nav option to Create Task because they do not have Vendor Assessor role.

Answer 87

Go to a Vendor Risk Issue and go the related list of tasks.

Question 88

What table triggers events

Answer 88

Vendor Risk assessment - sn_vdr_risk_asmt_assessment

Question 89

**Vendor Risk assessment notifications are made up of…

Answer 89

Events, Notifications and Run Script workflow activities

Question 90

Where do you change the company name for the vendor portal

Answer 90

System property sn_vdr_risk_asmt.company.name

Question 91

Once an assessment or doc request is assigned to vendor, primary contact can …

Answer 91

Invite others to collaborate or assign to another contact

Question 92

**T or F - Primary contact can assign SECTIONS in the questionnaire or doc request to individuals

Answer 92

F - the whole thing can be assigned over, but not sections

Question 93

T or F - A questionnaire can only be completed by the assignee

Answer 93

True. Others can only read it

Question 94

VRM integrates with what in GRC

Answer 94

P&C, Risk

Question 95

GRC to VRM integration - Control is marked non-compliant or compliant, what happens in risk?

Answer 95

Calculated risk score of risks for the vendor is adjusted

Question 96

** response to question (tied to a control obj) results in control status going from compliant to non-compliant or vice versa.

Answer 96

Per Rick’s note - the answer is yes.

Question 97

What are steps to integrate GRC and VRM

Answer 97

Relate a question/assessment metric (in a questionnaire template) to a Control objective. Or do the reverse and add question/am to control objectives via a related list. In both cases, the Control related to the Control objective will be updated based on the answer to the question

Question 98

Integrate GRC and VRM what related list do we see in Control Objective

Answer 98

Assessment Metric/Questions - used to link answer to the question to a particular control

Question 99

***??? Integrate GRC and VRm, new related list Assessment Metrics, what is the qualification

Answer 99

Eval method in Vendor risk Assessment

Question 100

**??Integrate GRC and VRM - what related list do we see on the Vendor Risk assessment

Answer 100

Controls for that vendor

Question 101

**GRC to VRM Integration - Control Status will get updated based on Vendor Risk Assessment - when? what state?

Answer 101

Vendor Risk Assessment is in Finalizing with Vendor or Closed

Question 102

What changed with the vendor portal URL in v 12.

Answer 102

Starting with version 12.0.4, the legacy version of the Assessment Vendor Portal, launched using [your instance URL]/vdp, is no longer deployed, enhanced, or supported. The new version, launched using [your instance URL]/svdp, operates the same

Question 103

What are some recent assessment engine enhancements

Answer 103

Multi-selection and choice can use normalization scoring, Info fields can have images, video, links, etc., Questions can be dependent outside their category, min max for assessment score

Question 104

What are 2 external integrations to VRM

Answer 104

bitsight and security scorecard

Question 105

What fields are mandatory on Vendor Contact

Answer 105

First, Last, Email, Vendor

Question 106

What are values of Risk Rating and Vendor Tier

Answer 106

1 -Very High, 2-HIgh, 3 - MOderate, 4-Low, 5-Very Low

Question 107

What makes a VR Issue show up in portal

Answer 107

Visible in Portal, State Submitted to Vendor or >?

Question 108

What fields required on a VR Issue

Answer 108

Just Name until you submit it to the vendor, then Vendor

Question 109

What roles required to see vendor portal

Answer 109

snc_external and vendor_contact

Question 110

What does SIG stand for

Answer 110

Stadardized Information Gathering

Question 111

What are some things you can do in the designer

Answer 111

Preview, copy, Add Categories, Add questions, create new questions, specify a correct answer, dependencies between questions