Overview
You'll receive access to the standard version of Third Party Risk Management (TPRM) with the Comply Fundamentals plan. Comply Complete plans have access to Secureframe's Advanced TPRM offering by default. You can also talk to your account manager about adding Advanced TPRM to your Fundamentals plan.
The standard TPRM plan includes:
- Managing your active vendors list (add one by one or in bulk)
- Vendor risk assessments using Secureframe default risk levels
- A single schedule for reviews
- A single question set for reviews
- Secureframe default categories and department tags for vendors
Advanced TPRM capabilities include all of the features above plus:
- Customizing the vendor risk assessment settings, including:
- Primary risk scoring
- Secondary risk scoring
- Subcategories
- Environment type
- Data management
- Customizing vendor tags
- Detected applications through SSO providers (easily bring popular applications at your company into your vendor risk program)
- Creating and assigning custom review schedules based on vendor risk level or other categorization
- Unlimited schedules
- Unlimited question sets for internal security reviews
Recommended starting steps
- Add your vendors to Secureframe TPRM (See Adding Vendors below). If you're bulk uploading vendors from a CSV, you can import their risk levels and other metadata to save yourself time.
- For any vendors that do not have an associated risk level, conduct a risk assessment (See Conducting a Vendor Risk Assessment below)
- Set up a review schedule. Review schedules contain lists of vendors that you want to review on the same cadence. (See Configuring Vendor Reviews below)
See also: Getting started with your first security review.
Workflow walkthroughs
Adding Vendors
Vendors can be added into Secureframe individually within our app or via a bulk upload.
Viewing Vendors
Vendors can be searched, filtered, and sorted in many different ways.
Manipulating the Vendors Table
Vendors can be filtered and sorted in the table by:
- Categories (not sortable)
- Contract start date
- Contract end date
- Departments (not sortable)
- Name
- Owner
- Review status (not sortable)
- Tags (not sortable)
- Risk level
Customizing Vendor Risk Assessment Settings
Select the cog icon on the top right of the vendors page to configure the following settings.
Configuring Primary Risk Scoring (Advanced feature)
Primary risk score settings determine the risk levels available for selection when conducting individual vendor assessments.
On the configuration tab, qualitative (e.g. high, medium, and low) and quantitative (e.g. 3, 2, 1) risk level scoring can be customized based on organizational needs.
Some organizations operate on a 3 tier high, medium, and low scoring system for assessing vendor risk:
Other organizations may operate with a 10 tier scoring system:
Regardless, scoring can be customized in any way desired based on organizational needs.
Configuring Secondary Risk Scoring (Advanced feature)
Primary risk score can be augmented by 3 risk subcategories:
- Subcategories
- Data management
- Environment type
Secondary risk scoring provides additional ways to influence the primary risk score.
Risk subcategories (e.g. operational reliance, difficulty of vendor substitution, etc.) may be optionally added to further tailor how assessors should consider risk during an assessment. Risk levels for these subcategories are defined during an individual vendor's risk assessment.
Data management can be fully customized based on an organization's data and privacy concerns to further influence an assessor's decision-making during an individual vendor risk assessment. Risk levels for data management are defined globally in these settings, rather than being on a per vendor basis.
Environment type is not customizable (development, production) in settings; however, assessors are prompted to indicate the type during an individual vendor assessment.
Customizing Vendor Tags
Vendors tags create shared categories and departments to create vendor relationships. These tags can be filtered on the primary vendors table.
Conducting a Vendor Risk Assessment
To begin an individual vendor risk assessment, select a vendor with a risk level of "Not assessed".
Basic Vendor Details
Please enter basic information about the vendor. Required fields are noted with a red asterisk.
- Name: The name of the vendor
- Website: The website of the vendor
- Security URL: The location of vendor security documentation
- Services provided: Information about apps or services you use
- Owner: The person responsible for the vendor
- Categories & Departments: Tags associated to this vendor
- Contract start and end date: The duration of the current vendor contract
- Account manager name and email: The primary PoC on the vendor's side
- Authentication type: The mechanism for authenticating into the vendor and/or its products
- Compliance report findings: Describe issues the vendor has called out in reports such as a SOC 2, as applicable. These details should influence the vendor's risk assessment
- Other information: Other notable detail about the vendor
Detected Applications (Advanced feature)
Secureframe scans for shadow IT via integrations such as Google Workspace, Google Cloud Identity, Okta, Office 365, and more to determine applications in use by people at an organization.
Discovered applications can be linked to a vendor. For example, if the vendor was higher level, and actually "Google" or "Alphabet", apps such as "Google Cloud Platform", "Google Workspace", etc. should be linked to the vendor.
To view all discovered applications, select detected applications on the top of the vendor's table. You can bulk add applications as vendors, link applications to vendors, or ignore the applications.
Risk Level Assessment
Indicate the level of risk for risk subcategories and the data relevant to the vendor. As a reminder, these were configured in the global risk assessment settings. Specify the environment type of the vendor as well as the overall risk level for the vendor. Secureframe automatically provides a recommended risk level suggestion for the vendor based on risk inputs.
Security Review
Vendor risk assessments are not a one-time task. Risk review schedules should be created to specify how frequently a review should occur. Multiple vendors can be bulk assigned to a single review for efficiency in cases where vendors are on the same review cycle.
A new review schedule can be created or alternatively, you can use an existing review schedule by selecting the schedule as the option underneath Recurring schedule.
Templates can be specified to determine which questions should be answered during a vendor review.
Review
Complete the assessment when you have reviewed your previous selections.
Configuring Recurring Vendor Reviews / Review Schedules
Navigate to Vendor Review from the primary vendor table.
On the Pipeline tab, all in progress and upcoming reviews are listed. Owners can be assigned to own an entire review cycle.
Clicking into a review shows all the vendors that have been added to that review cycle. Assignees can be assigned to a vendor within a review cycle. Assignees are responsible for completing the review.
Vendors can be added to a review by clicking on the 3 dots in the top right.
You can also bulk assign vendors to recurring reviews / review schedules from the vendors table.
On the Review schedules tab or by clicking Schedule review, recurring reviews can be created to then assign to vendors. Review schedules generate the aforementioned review cycles.
Reviews cans be edited on the Review schedule tab by selecting the 3 dots. Owners can also be assigned to review schedules. They will receive email notifications when a review is starting and ending based on the specified settings below.
Alternatively, one-time reviews can be created by selecting the dropdown to the right of Schedule review.
Customizing Internal Review Templates (Advanced feature)
With the standard version of TPRM, you can always modify the Default Template, but your account must have the Advanced feature set to create and modify multiple templates. To define the content of a review, security review templates can be created.
Assignees fill out these questions during a review. Secureframe has provided a default template with an initial question set.
Conducting a Vendor Review
Once a review cycle begins, the assignee of the vendor's review for a given review cycle will receive an email notification.
The assignee is prompted to complete the review, by uploading new compliance reports, completing review questions, adding findings, and leaving comments.
Frequently Asked Questions (FAQ)
How do I assign a specific question set to an automated vendor security review?
- You can assign specific questions sets to the vendors themselves.
- If you go to the Vendors page, select the vendor, and then Security Reviews...here you can change the question set.
In our list of vendors I have both Atlassian and JIRA. I want to remove Jira (because that is a product of the Atlassian company.) If I archive Jira from the list of vendors, does this have any impact on the integrations we have with Jira?
- Archiving a vendor that has a related integration will not archive the connection. The vendors and the integrations are considered separate in the platform.
- You will be able to safely remove the Jira vendor, while keeping the Jira connection.
Comments
0 comments
Article is closed for comments.