Vendor Risk Flashcards

1
Q

What are the 6 key capabilities for VRM?

A

Vendor Portfolio, Vendor Tiering, Assessment Mgt, Vendor Portal, Issues and Remediation, GRC Integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Vendor Portfolio

A

Database of vendors and vendor info including contacts, biz svc and other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What table contains the vendor info

A

Company (core_company) (extended)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Vendor Tiering

A

Vendor tiering is used in VRM to help orgs effectively assess vendors at right time .

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is vendor tiering score for

A

Allows orgs to better manage the vendor relationship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is used to create a vendor tiering assessment

A

a Tiering questionnaire template

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who completes the vendor tiering assessment

A

Internal assessors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Assessment Management (high level - what does it allow orgs to do?)

A

Allows orgs to create templates for assessments with varying content and recurrence intervals based on vendor tier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 2 types of questionnaires

A

Proprietary ones created using the visual designer or Built in shared assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an example of a shared assessment (vs. a proprietary one)

A

Standardized Information Gathering questionnaire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How are assessment responses scored

A

Automatically using a robust hierarchical weighted scoring framework that can be tailored to meet customer requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the Vendor Portal

A

Centralized location for all vendor interaction and communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does the vendor portal provide

A

Visibility into what needs to get done by when, who is assigned, and status for vendor stakeholders

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are Issues and Remediation used for in VRM

A

Issues can be created based on assessment responses and design remediation plans and share them with vendors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How are VRM and GRC integrated

A

Link control objectives with questions in a questionnaire template, inadequate vendor responses can automatically mark controls as non-compliant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the benefit of the VRM to GRC integration

A

Top down traceability from an authority doc to the question in a questionnaire for a specific vendor. Non compliant controls can automatically adjust residual scores of risks associated with the vendor, which are then rolled up into other IT and operational risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

VRM Benefits (5)

A

1) Gain efficiencies through automation of routine processes and risk scoring, 2) Reduce risk exposure with integrated view of risk, reporting and vendor tiering, 3) respond to high risk vendors with consistent assessment and remediation process 4) increase communication and collaboration (portal) 5) Leverage a unified platform to provide more comprehensive definition and proactive approach to managing risk, compliance and security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explain cyclical vendor assessment process

A

1) Request comes to risk mgt team. 2) initial tiering process is performed to determine inherent risk of 3rd party 3) Assessment chosen to match the tier and sent to vendor 4) When responses received, risk analyst generates findings and reviews with SMEs for actions 5) Issues are shared with vendor 6) Based on findings and status of issues, residual risk of 3rd party is determined and reported out 7) 3rd party is monitored and events such as incidents or negative reputation reports are triaged.
Assessment process repeats periodically until company no longer does business with the vendor/3rd party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What determines frequency or period between assessments in the cyclical vendor assessment process

A

policy or regulatory requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the 6 steps in the VRM process

A

Tier, Assess, Generate Findings, Remediate issues, Report risks, monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the. components of the Tier step of the VRM process

A

Internal tiering assessment, Security scorecard integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the components of the Assess step of the VRM process

A

Assessments, security scorecard integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the components of the Generate Findings step of the VRM process

A

Vendor Portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the components of the Remediate Issues step of the VRM process

A

Issue Management, Remediation workflow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the components of the Report Risks step of the VRM process

A

GRC integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the components of the Monitor step of the VRM process

A

Security score submission, Tier based submission, repeating assessments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the states for the Vendor Tiering lifecycle

A

Draft, Awaiting Response, Tiering Assignment, Closed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How is Vendor Tiering used

A

To classify vendors into categories of potential risk, determined at the time of onboarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Vendor tiering - internal or external survey?

A

internal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are the vendor tiers

A

none, minor, low, moderate, high, critical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are the states for the Vendor Risk Assessment lifecycle

A

Draft, submitted to vendor, responses received, generating observations, finalizing with vendor, closed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What are the 2 components combined to make a Vendor Risk assessment

A

Assessment Template and a vendor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What are the 2 components combined to make an Assessment Template

A

Questionnaire Template and a Document Request Template

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is contained in the vendor portal

A

assessments, contacts, deadlines, issues and remediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What happens in Assessment Management via the portal ?

this is on test per Rick’s notes

A

Respond to Questionnaires and Doc requests submitted as assessments. SIG is supported. Questions are parsed and managed individually with status for each question tracked to completion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What happens with Issues and Tasks via the portal

A

Create and delegate vendor issues and tasks, provide vendor with access to update and respond, assign tasks to team members to support resolution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What happens with Vendor contact management in the portal?

A

Distribute vendor contact management to drive issues and assessments closure. Delegate contact management to primary vendor contact, assign responses and tasks to vendor team members

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are some criteria/methods for determining if an assessment is to be created

A

tier based, score based, default vendor tiering scale, default risk rating scale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What table are vendor contacts stored in and from where is it extended

A

vm_vdr_contact extended from sys_user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What table are vendor risk issues stored in and from where is it extended

A

sn_vdr_risk_asmt_issue extended from sn_grc_issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is the name of the Vendor risk module

A

com.sn_vdr_risk_asmt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What are the internal roles

A

Vendor Risk Manager (sn_vdr_risk_asmt.vendor_risk_manager), Vendor Risk Assessor (sn_vdr_risk_asmt.vendor_assessor), Vendor Risk Reviewer (sn_vdr_risk_asmt.vendor_assessment_reviewer)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is the Vendor Risk Manager role for

A

Manage vendors, contacts, assessment templates, questionnaire templates, doc request templates and scheduled assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What roles does the Vendor Risk Manager contains

A

Vendor Risk Assessor and Vendor Risk Reviewer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is the Vendor Risk Assessor role for

A

Manage Vendors, contacts, assessments and issues.

46
Q

What roles does the Vendor Risk Assessor contain

A

Vendor Risk Reviewer

47
Q

What is the Vendor Risk Reviewer for

A

Reviews and edits vendor assessments.

48
Q

What are the external roles installed with VRM

A

Vendor contact (vendor_contact)

49
Q

What is the Vendor Contact role for

A

Answers questionnaires, may own remediation tasks. Primary contacts are responsible for assessments and can manage other contacts,

50
Q

T or F Vendor contacts are in sys_user

A

True

51
Q

What role do vendor contacts automatically have

A

snc_external

52
Q

Who gets snc_internal

A

All existing users when GRC:VRM is installed

53
Q

What are 5 config steps for VRM

A

Populate vendors, clean data, populate contacts, assign primary contacts, tier vendors

54
Q

How can you clean the vendor data

A

Field normalization rules, data import/transform, fix scripts.

55
Q

How do you use field normalization in cleanup

A

Activate the separate plugin

56
Q

What are the 3 tier rating values on vendor record

A

Risk rating, Rank Tier, Vendor Tier

57
Q

???Which rating tier values are set manually by customer

A

Risk Rating, Rank tier and OPTIONALLY Vendor Tier - see Impl Class p49

58
Q

With the VRM to GRC integration, what are the Related lists added to the Company/Vendor table

A

Entity Types, Risks, Controls

59
Q

What is table name for the tiering assessment

A

sn_vdr_risk_asmt_vdr_tiering_assessment

60
Q

What is table name for the tiering questionnaire template

A

asmt_metric_type

61
Q

Where are Questionnaire and Doc Requests templates stored

A

Assessment Metric Type table - asmt_metric_type

62
Q

Where are assessment categories stored

A

Assessment Metric Category table - asmt_metric_category

63
Q

Where are the questions stored

A

Assessment Metric table - asmt_metric

64
Q

If a question in an assessment has choices/answers, where are those stored

A

Assessment Metric Definitions table - amst_metric_definition

65
Q

What is the internal term for a question on a questionnaire?

A

Assessment metric

66
Q

How can you connect parts of the assessment to GRC?

A

Assessment metrics/questions (within categories that fall under questionnaires or metric types) can be related to policy statements prior to conducting an assessment

67
Q

T or F - Document Requests have a risk score

A

F - they have a risk rating (H, Medium, L)

68
Q

What determines document requests risk rating

A

Answer to first question (do you have document…)

69
Q

What are the SIG levels

A

Lite (non-crit), Core (Biz Crit), Full (situation specific additions to core or lite), Master (repository of completed Sig ?s and correct answers)

70
Q

What is module name for Sig Questionnaire integration

A

com.sn_sig_asmt

71
Q

What are 3 ways vendor risk assessments are created

A

manual, vendor tiering (auto) and vendor security scoring (auto)

72
Q

Where are repeating assessments stored

A

Repeating assessment table - sn_vdr_risk_asmt_repeating_assessment

73
Q

What determines Risk rating on Vendor Risk Assessment

A

Rollup from individual questionnaires and doc requests

74
Q

?? How is Assessment rating calculated ??

A

Not stored in database. getBusinessServiceCriticality will find most crit biz svc and use the weight from that rating scale record. ?? I don’t get this.

75
Q

What happens during the Generating Observations state of the Vendor Risk Assessment lifecycle

A

An assessor generates observations which may create issues.

76
Q

What table store vendor risk assessments, extended from..

A

Vendor Risk Assessment - sn_vdr_risk_asmt_assessment, extended from planned_task

77
Q

What can cause issues to be auto-generated

A

Issue Generation rules - based on incorrect responses for selected questions

78
Q

What are states of the Vendor Risk Issue lifecycle

A

New, Analyze, Submitted to Vendor, Finalize with Vendor, Review, Closed

79
Q

What table stores vendor risk issues, extended from

A

Vendor Risk Issue - sn_vdr_risk_asmt_issue - extended from sn_grc_issue (extended from planned_task?)

80
Q

What are steps for a vendor risk issue remediation

A

Create task, accept issue, request addnl info, vendor to remediate

81
Q

What can be used to track the steps to address issues?

A

tasks

82
Q

Who can be assigned tasks created from issues

A

internal or external individuals

83
Q

Where are tasks created from vendor risk issues stored

A

Vendor Risk Task - sn_vdr_risk_asmt_task

84
Q

What can a vendor risk issue be related to

A

Vendor, Vendor Risk Asmt, Question in a questionnaire in a Vendor Risk Asmt

85
Q

Integration touchpoint with GRC P&C

A

Vendor Risk Issue table will have a policy exception related list

86
Q

What is the vendor risk task lifecycle

A

New, Submitted to Vendor, Work in Progress, Review, Closed

87
Q

** How can someone that is a Vendor Assessment Reviewer create a task? They cannot see the Filter Nav option to Create Task because they do not have Vendor Assessor role.

A

Go to a Vendor Risk Issue and go the related list of tasks.

88
Q

What table triggers events

A

Vendor Risk assessment - sn_vdr_risk_asmt_assessment

89
Q

**Vendor Risk assessment notifications are made up of…

A

Events, Notifications and Run Script workflow activities

90
Q

Where do you change the company name for the vendor portal

A

System property sn_vdr_risk_asmt.company.name

91
Q

Once an assessment or doc request is assigned to vendor, primary contact can …

A

Invite others to collaborate or assign to another contact

92
Q

**T or F - Primary contact can assign SECTIONS in the questionnaire or doc request to individuals

A

F - the whole thing can be assigned over, but not sections

93
Q

T or F - A questionnaire can only be completed by the assignee

A

True. Others can only read it

94
Q

VRM integrates with what in GRC

A

P&C, Risk

95
Q

GRC to VRM integration - Control is marked non-compliant or compliant, what happens in risk?

A

Calculated risk score of risks for the vendor is adjusted

96
Q

** response to question (tied to a control obj) results in control status going from compliant to non-compliant or vice versa.

A

Per Rick’s note - the answer is yes.

97
Q

What are steps to integrate GRC and VRM

A

Relate a question/assessment metric (in a questionnaire template) to a Control objective. Or do the reverse and add question/am to control objectives via a related list. In both cases, the Control related to the Control objective will be updated based on the answer to the question

98
Q

Integrate GRC and VRM what related list do we see in Control Objective

A

Assessment Metric/Questions - used to link answer to the question to a particular control

99
Q

***??? Integrate GRC and VRm, new related list Assessment Metrics, what is the qualification

A

Eval method in Vendor risk Assessment

100
Q

**??Integrate GRC and VRM - what related list do we see on the Vendor Risk assessment

A

Controls for that vendor

101
Q

**GRC to VRM Integration - Control Status will get updated based on Vendor Risk Assessment - when? what state?

A

Vendor Risk Assessment is in Finalizing with Vendor or Closed

102
Q

What changed with the vendor portal URL in v 12.

A

Starting with version 12.0.4, the legacy version of the Assessment Vendor Portal, launched using [your instance URL]/vdp, is no longer deployed, enhanced, or supported. The new version, launched using [your instance URL]/svdp, operates the same

103
Q

What are some recent assessment engine enhancements

A

Multi-selection and choice can use normalization scoring, Info fields can have images, video, links, etc., Questions can be dependent outside their category, min max for assessment score

104
Q

What are 2 external integrations to VRM

A

bitsight and security scorecard

105
Q

What fields are mandatory on Vendor Contact

A

First, Last, Email, Vendor

106
Q

What are values of Risk Rating and Vendor Tier

A

1 -Very High, 2-HIgh, 3 - MOderate, 4-Low, 5-Very Low

107
Q

What makes a VR Issue show up in portal

A

Visible in Portal, State Submitted to Vendor or >?

108
Q

What fields required on a VR Issue

A

Just Name until you submit it to the vendor, then Vendor

109
Q

What roles required to see vendor portal

A

snc_external and vendor_contact

110
Q

What does SIG stand for

A

Stadardized Information Gathering

111
Q

What are some things you can do in the designer

A

Preview, copy, Add Categories, Add questions, create new questions, specify a correct answer, dependencies between questions