Vendor Risk Flashcards
What are the 6 key capabilities for VRM?
Vendor Portfolio, Vendor Tiering, Assessment Mgt, Vendor Portal, Issues and Remediation, GRC Integration
What is the Vendor Portfolio
Database of vendors and vendor info including contacts, biz svc and other.
What table contains the vendor info
Company (core_company) (extended)
What is Vendor Tiering
Vendor tiering is used in VRM to help orgs effectively assess vendors at right time .
What is vendor tiering score for
Allows orgs to better manage the vendor relationship
What is used to create a vendor tiering assessment
a Tiering questionnaire template
Who completes the vendor tiering assessment
Internal assessors
What is Assessment Management (high level - what does it allow orgs to do?)
Allows orgs to create templates for assessments with varying content and recurrence intervals based on vendor tier.
What are the 2 types of questionnaires
Proprietary ones created using the visual designer or Built in shared assessments.
What is an example of a shared assessment (vs. a proprietary one)
Standardized Information Gathering questionnaire
How are assessment responses scored
Automatically using a robust hierarchical weighted scoring framework that can be tailored to meet customer requirements
What is the Vendor Portal
Centralized location for all vendor interaction and communication
What does the vendor portal provide
Visibility into what needs to get done by when, who is assigned, and status for vendor stakeholders
What are Issues and Remediation used for in VRM
Issues can be created based on assessment responses and design remediation plans and share them with vendors
How are VRM and GRC integrated
Link control objectives with questions in a questionnaire template, inadequate vendor responses can automatically mark controls as non-compliant.
What is the benefit of the VRM to GRC integration
Top down traceability from an authority doc to the question in a questionnaire for a specific vendor. Non compliant controls can automatically adjust residual scores of risks associated with the vendor, which are then rolled up into other IT and operational risks.
VRM Benefits (5)
1) Gain efficiencies through automation of routine processes and risk scoring, 2) Reduce risk exposure with integrated view of risk, reporting and vendor tiering, 3) respond to high risk vendors with consistent assessment and remediation process 4) increase communication and collaboration (portal) 5) Leverage a unified platform to provide more comprehensive definition and proactive approach to managing risk, compliance and security
Explain cyclical vendor assessment process
1) Request comes to risk mgt team. 2) initial tiering process is performed to determine inherent risk of 3rd party 3) Assessment chosen to match the tier and sent to vendor 4) When responses received, risk analyst generates findings and reviews with SMEs for actions 5) Issues are shared with vendor 6) Based on findings and status of issues, residual risk of 3rd party is determined and reported out 7) 3rd party is monitored and events such as incidents or negative reputation reports are triaged.
Assessment process repeats periodically until company no longer does business with the vendor/3rd party
What determines frequency or period between assessments in the cyclical vendor assessment process
policy or regulatory requirements
What are the 6 steps in the VRM process
Tier, Assess, Generate Findings, Remediate issues, Report risks, monitor
What are the. components of the Tier step of the VRM process
Internal tiering assessment, Security scorecard integration
What are the components of the Assess step of the VRM process
Assessments, security scorecard integration
What are the components of the Generate Findings step of the VRM process
Vendor Portal
What are the components of the Remediate Issues step of the VRM process
Issue Management, Remediation workflow
What are the components of the Report Risks step of the VRM process
GRC integration
What are the components of the Monitor step of the VRM process
Security score submission, Tier based submission, repeating assessments
What are the states for the Vendor Tiering lifecycle
Draft, Awaiting Response, Tiering Assignment, Closed
How is Vendor Tiering used
To classify vendors into categories of potential risk, determined at the time of onboarding
Vendor tiering - internal or external survey?
internal
What are the vendor tiers
none, minor, low, moderate, high, critical
What are the states for the Vendor Risk Assessment lifecycle
Draft, submitted to vendor, responses received, generating observations, finalizing with vendor, closed
What are the 2 components combined to make a Vendor Risk assessment
Assessment Template and a vendor
What are the 2 components combined to make an Assessment Template
Questionnaire Template and a Document Request Template
What is contained in the vendor portal
assessments, contacts, deadlines, issues and remediation
What happens in Assessment Management via the portal ?
this is on test per Rick’s notes
Respond to Questionnaires and Doc requests submitted as assessments. SIG is supported. Questions are parsed and managed individually with status for each question tracked to completion
What happens with Issues and Tasks via the portal
Create and delegate vendor issues and tasks, provide vendor with access to update and respond, assign tasks to team members to support resolution
What happens with Vendor contact management in the portal?
Distribute vendor contact management to drive issues and assessments closure. Delegate contact management to primary vendor contact, assign responses and tasks to vendor team members
What are some criteria/methods for determining if an assessment is to be created
tier based, score based, default vendor tiering scale, default risk rating scale
What table are vendor contacts stored in and from where is it extended
vm_vdr_contact extended from sys_user
What table are vendor risk issues stored in and from where is it extended
sn_vdr_risk_asmt_issue extended from sn_grc_issue
What is the name of the Vendor risk module
com.sn_vdr_risk_asmt
What are the internal roles
Vendor Risk Manager (sn_vdr_risk_asmt.vendor_risk_manager), Vendor Risk Assessor (sn_vdr_risk_asmt.vendor_assessor), Vendor Risk Reviewer (sn_vdr_risk_asmt.vendor_assessment_reviewer)
What is the Vendor Risk Manager role for
Manage vendors, contacts, assessment templates, questionnaire templates, doc request templates and scheduled assessments.
What roles does the Vendor Risk Manager contains
Vendor Risk Assessor and Vendor Risk Reviewer
What is the Vendor Risk Assessor role for
Manage Vendors, contacts, assessments and issues.
What roles does the Vendor Risk Assessor contain
Vendor Risk Reviewer
What is the Vendor Risk Reviewer for
Reviews and edits vendor assessments.
What are the external roles installed with VRM
Vendor contact (vendor_contact)
What is the Vendor Contact role for
Answers questionnaires, may own remediation tasks. Primary contacts are responsible for assessments and can manage other contacts,
T or F Vendor contacts are in sys_user
True
What role do vendor contacts automatically have
snc_external
Who gets snc_internal
All existing users when GRC:VRM is installed
What are 5 config steps for VRM
Populate vendors, clean data, populate contacts, assign primary contacts, tier vendors
How can you clean the vendor data
Field normalization rules, data import/transform, fix scripts.
How do you use field normalization in cleanup
Activate the separate plugin
What are the 3 tier rating values on vendor record
Risk rating, Rank Tier, Vendor Tier
???Which rating tier values are set manually by customer
Risk Rating, Rank tier and OPTIONALLY Vendor Tier - see Impl Class p49
With the VRM to GRC integration, what are the Related lists added to the Company/Vendor table
Entity Types, Risks, Controls
What is table name for the tiering assessment
sn_vdr_risk_asmt_vdr_tiering_assessment
What is table name for the tiering questionnaire template
asmt_metric_type
Where are Questionnaire and Doc Requests templates stored
Assessment Metric Type table - asmt_metric_type
Where are assessment categories stored
Assessment Metric Category table - asmt_metric_category
Where are the questions stored
Assessment Metric table - asmt_metric
If a question in an assessment has choices/answers, where are those stored
Assessment Metric Definitions table - amst_metric_definition
What is the internal term for a question on a questionnaire?
Assessment metric
How can you connect parts of the assessment to GRC?
Assessment metrics/questions (within categories that fall under questionnaires or metric types) can be related to policy statements prior to conducting an assessment
T or F - Document Requests have a risk score
F - they have a risk rating (H, Medium, L)
What determines document requests risk rating
Answer to first question (do you have document…)
What are the SIG levels
Lite (non-crit), Core (Biz Crit), Full (situation specific additions to core or lite), Master (repository of completed Sig ?s and correct answers)
What is module name for Sig Questionnaire integration
com.sn_sig_asmt
What are 3 ways vendor risk assessments are created
manual, vendor tiering (auto) and vendor security scoring (auto)
Where are repeating assessments stored
Repeating assessment table - sn_vdr_risk_asmt_repeating_assessment
What determines Risk rating on Vendor Risk Assessment
Rollup from individual questionnaires and doc requests
?? How is Assessment rating calculated ??
Not stored in database. getBusinessServiceCriticality will find most crit biz svc and use the weight from that rating scale record. ?? I don’t get this.
What happens during the Generating Observations state of the Vendor Risk Assessment lifecycle
An assessor generates observations which may create issues.
What table store vendor risk assessments, extended from..
Vendor Risk Assessment - sn_vdr_risk_asmt_assessment, extended from planned_task
What can cause issues to be auto-generated
Issue Generation rules - based on incorrect responses for selected questions
What are states of the Vendor Risk Issue lifecycle
New, Analyze, Submitted to Vendor, Finalize with Vendor, Review, Closed
What table stores vendor risk issues, extended from
Vendor Risk Issue - sn_vdr_risk_asmt_issue - extended from sn_grc_issue (extended from planned_task?)
What are steps for a vendor risk issue remediation
Create task, accept issue, request addnl info, vendor to remediate
What can be used to track the steps to address issues?
tasks
Who can be assigned tasks created from issues
internal or external individuals
Where are tasks created from vendor risk issues stored
Vendor Risk Task - sn_vdr_risk_asmt_task
What can a vendor risk issue be related to
Vendor, Vendor Risk Asmt, Question in a questionnaire in a Vendor Risk Asmt
Integration touchpoint with GRC P&C
Vendor Risk Issue table will have a policy exception related list
What is the vendor risk task lifecycle
New, Submitted to Vendor, Work in Progress, Review, Closed
** How can someone that is a Vendor Assessment Reviewer create a task? They cannot see the Filter Nav option to Create Task because they do not have Vendor Assessor role.
Go to a Vendor Risk Issue and go the related list of tasks.
What table triggers events
Vendor Risk assessment - sn_vdr_risk_asmt_assessment
**Vendor Risk assessment notifications are made up of…
Events, Notifications and Run Script workflow activities
Where do you change the company name for the vendor portal
System property sn_vdr_risk_asmt.company.name
Once an assessment or doc request is assigned to vendor, primary contact can …
Invite others to collaborate or assign to another contact
**T or F - Primary contact can assign SECTIONS in the questionnaire or doc request to individuals
F - the whole thing can be assigned over, but not sections
T or F - A questionnaire can only be completed by the assignee
True. Others can only read it
VRM integrates with what in GRC
P&C, Risk
GRC to VRM integration - Control is marked non-compliant or compliant, what happens in risk?
Calculated risk score of risks for the vendor is adjusted
** response to question (tied to a control obj) results in control status going from compliant to non-compliant or vice versa.
Per Rick’s note - the answer is yes.
What are steps to integrate GRC and VRM
Relate a question/assessment metric (in a questionnaire template) to a Control objective. Or do the reverse and add question/am to control objectives via a related list. In both cases, the Control related to the Control objective will be updated based on the answer to the question
Integrate GRC and VRM what related list do we see in Control Objective
Assessment Metric/Questions - used to link answer to the question to a particular control
***??? Integrate GRC and VRm, new related list Assessment Metrics, what is the qualification
Eval method in Vendor risk Assessment
**??Integrate GRC and VRM - what related list do we see on the Vendor Risk assessment
Controls for that vendor
**GRC to VRM Integration - Control Status will get updated based on Vendor Risk Assessment - when? what state?
Vendor Risk Assessment is in Finalizing with Vendor or Closed
What changed with the vendor portal URL in v 12.
Starting with version 12.0.4, the legacy version of the Assessment Vendor Portal, launched using [your instance URL]/vdp, is no longer deployed, enhanced, or supported. The new version, launched using [your instance URL]/svdp, operates the same
What are some recent assessment engine enhancements
Multi-selection and choice can use normalization scoring, Info fields can have images, video, links, etc., Questions can be dependent outside their category, min max for assessment score
What are 2 external integrations to VRM
bitsight and security scorecard
What fields are mandatory on Vendor Contact
First, Last, Email, Vendor
What are values of Risk Rating and Vendor Tier
1 -Very High, 2-HIgh, 3 - MOderate, 4-Low, 5-Very Low
What makes a VR Issue show up in portal
Visible in Portal, State Submitted to Vendor or >?
What fields required on a VR Issue
Just Name until you submit it to the vendor, then Vendor
What roles required to see vendor portal
snc_external and vendor_contact
What does SIG stand for
Stadardized Information Gathering
What are some things you can do in the designer
Preview, copy, Add Categories, Add questions, create new questions, specify a correct answer, dependencies between questions
