Getting started with Third Party Risk Management

Overview

You'll receive access to the standard version of Third Party Risk Management (TPRM) with the Comply Fundamentals plan. Comply Complete plans have access to Secureframe's Advanced TPRM offering by default. You can also talk to your account manager about adding Advanced TPRM to your Fundamentals plan.

The standard TPRM plan includes:

  • Managing your active vendors list (add one by one or in bulk)
  • Vendor risk assessments using Secureframe default risk levels
  • A single schedule for reviews
  • A single question set for reviews
  • Secureframe default categories and department tags for vendors

Advanced TPRM capabilities include all of the features above plus:

  • Customizing the vendor risk assessment settings, including:
    • Primary risk scoring
    • Secondary risk scoring
      • Subcategories
      • Environment type
      • Data management
  • Customizing vendor tags
  • Detected applications through SSO providers (easily bring popular applications at your company into your vendor risk program)
  • Creating and assigning custom review schedules based on vendor risk level or other categorization
  • Unlimited schedules
  • Unlimited question sets for internal security reviews

Recommended starting steps

  1. Add your vendors to Secureframe TPRM (See Adding Vendors below). If you're bulk uploading vendors from a CSV, you can import their risk levels and other metadata to save yourself time. 
  2. For any vendors that do not have an associated risk level, conduct a risk assessment (See Conducting a Vendor Risk Assessment below)
  3. Set up a review schedule. Review schedules contain lists of vendors that you want to review on the same cadence. (See Configuring Vendor Reviews below)

See also: Getting started with your first security review.

Workflow walkthroughs

Adding Vendors

Vendors can be added into Secureframe individually within our app or via a bulk upload.

Screenshot 2024-05-20 at 4.55.36 PM.png

Viewing Vendors

Vendors can be searched, filtered, and sorted in many different ways. Screenshot 2024-05-20 at 4.44.43 PM.png

Manipulating the Vendors Table

Vendors can be filtered and sorted in the table by:

  • Categories (not sortable)
  • Contract start date
  • Contract end date
  • Departments (not sortable)
  • Name
  • Owner
  • Review status (not sortable)
  • Tags (not sortable)
  • Risk level

Screenshot 2024-05-20 at 4.54.49 PM.png

 

Customizing Vendor Risk Assessment Settings

Select the cog icon on the top right of the vendors page to configure the following settings.

 

Configuring Primary Risk Scoring (Advanced feature)

Primary risk score settings determine the risk levels available for selection when conducting individual vendor assessments.

On the configuration tab, qualitative (e.g. high, medium, and low) and quantitative (e.g. 3, 2, 1) risk level scoring can be customized based on organizational needs. 

Some organizations operate on a 3 tier high, medium, and low scoring system for assessing vendor risk:

Screenshot 2024-05-24 at 6.20.05 AM.png

Other organizations may operate with a 10 tier scoring system:

Screenshot 2024-05-24 at 6.21.47 AM.png

Regardless, scoring can be customized in any way desired based on organizational needs.

Configuring Secondary Risk Scoring (Advanced feature)

Primary risk score can be augmented by 3 risk subcategories:

  • Subcategories
  • Data management
  • Environment type

Secondary risk scoring provides additional ways to influence the primary risk score. 

Risk subcategories (e.g. operational reliance, difficulty of vendor substitution, etc.) may be optionally added to further tailor how assessors should consider risk during an assessment. Risk levels for these subcategories are defined during an individual vendor's risk assessment.

Screenshot 2024-05-24 at 6.28.21 AM.png

Data management can be fully customized based on an organization's data and privacy concerns to further influence an assessor's decision-making during an individual vendor risk assessment. Risk levels for data management are defined globally in these settings, rather than being on a per vendor basis.

Screenshot 2024-05-24 at 6.45.43 AM.png

Environment type is not customizable (development, production) in settings; however, assessors are prompted to indicate the type during an individual vendor assessment.Screenshot 2024-05-24 at 6.52.50 AM.png

Customizing Vendor Tags

Vendors tags create shared categories and departments to create vendor relationships. These tags can be filtered on the primary vendors table.

Screenshot 2024-05-24 at 7.01.20 AM.png

Screenshot 2024-05-24 at 7.37.01 AM.pngConducting a Vendor Risk Assessment

To begin an individual vendor risk assessment, select a vendor with a risk level of "Not assessed".

Basic Vendor Details

Please enter basic information about the vendor. Required fields are noted with a red asterisk. 

  • Name: The name of the vendor
  • Website: The website of the vendor
  • Security URL: The location of vendor security documentation
  • Services provided: Information about apps or services you use 
  • Owner: The person responsible for the vendor
  • Categories & Departments: Tags associated to this vendor
  • Contract start and end date: The duration of the current vendor contract
  • Account manager name and email: The primary PoC on the vendor's side
  • Authentication type: The mechanism for authenticating into the vendor and/or its products
  • Compliance report findings: Describe issues the vendor has called out in reports such as a SOC 2, as applicable. These details should influence the vendor's risk assessment
  • Other information: Other notable detail about the vendor

Screenshot 2024-05-24 at 7.21.47 AM.png

Detected Applications (Advanced feature)

Secureframe scans for shadow IT via integrations such as Google Workspace, Google Cloud Identity, Okta, Office 365, and more to determine applications in use by people at an organization.

Discovered applications can be linked to a vendor. For example, if the vendor was higher level, and actually "Google" or "Alphabet", apps such as "Google Cloud Platform", "Google Workspace", etc. should be linked to the vendor.

Screenshot 2024-05-24 at 7.27.06 AM.pngTo view all discovered applications, select detected applications on the top of the vendor's table. You can bulk add applications as vendors, link applications to vendors, or ignore the applications.

Screenshot 2024-05-24 at 7.47.55 AM.png

Risk Level Assessment

Indicate the level of risk for risk subcategories and the data relevant to the vendor. As a reminder, these were configured in the global risk assessment settings. Specify the environment type of the vendor as well as the overall risk level for the vendor. Secureframe automatically provides a recommended risk level suggestion for the vendor based on risk inputs.

Screenshot 2024-05-24 at 7.34.57 AM.png

Security Review

Vendor risk assessments are not a one-time task. Risk review schedules should be created to specify how frequently a review should occur. Multiple vendors can be bulk assigned to a single review for efficiency in cases where vendors are on the same review cycle.

A new review schedule can be created or alternatively, you can use an existing review schedule by selecting the schedule as the option underneath Recurring schedule.

Screenshot 2024-05-24 at 7.39.02 AM.png

Templates can be specified to determine which questions should be answered during a vendor review.

Review

Complete the assessment when you have reviewed your previous selections.

Configuring Recurring Vendor Reviews / Review Schedules

Navigate to Vendor Review from the primary vendor table.

On the Pipeline tab, all in progress and upcoming reviews are listed. Owners can be assigned to own an entire review cycle.

Screenshot 2024-05-24 at 7.51.20 AM.png

Clicking into a review shows all the vendors that have been added to that review cycle. Assignees can be assigned to a vendor within a review cycle. Assignees are responsible for completing the review.

Screenshot 2024-05-24 at 8.03.41 AM.png

Vendors can be added to a review by clicking on the 3 dots in the top right.

Screenshot 2024-05-24 at 8.08.16 AM.png

You can also bulk assign vendors to recurring reviews / review schedules from the vendors table.

Screenshot 2024-05-24 at 7.44.46 AM.png

On the Review schedules tab or by clicking Schedule review, recurring reviews can be created to then assign to vendors. Review schedules generate the aforementioned review cycles.

Screenshot 2024-05-24 at 7.56.33 AM.png

 

Reviews cans be edited on the Review schedule tab by selecting the 3 dots. Owners can also be assigned to review schedules. They will receive email notifications when a review is starting and ending based on the specified settings below.

Screenshot 2024-05-24 at 7.54.06 AM.png

Alternatively, one-time reviews can be created by selecting the dropdown to the right of Schedule review. 

Customizing Internal Review Templates (Advanced feature)

With the standard version of TPRM, you can always modify the Default Template, but your account must have the Advanced feature set to create and modify multiple templates. To define the content of a review, security review templates can be created.

Screenshot 2024-05-24 at 8.15.03 AM.png

Assignees fill out these questions during a review. Secureframe has provided a default template with an initial question set.

Screenshot 2024-05-24 at 8.16.32 AM.png

Conducting a Vendor Review 

Once a review cycle begins, the assignee of the vendor's review for a given review cycle will receive an email notification.

The assignee is prompted to complete the review, by uploading new compliance reports, completing review questions, adding findings, and leaving comments.

 

Screenshot 2024-05-24 at 8.21.38 AM.png

 

Screenshot 2024-05-24 at 8.24.36 AM.png

Frequently Asked Questions (FAQ)

How do I assign a specific question set to an automated vendor security review?

  • You can assign specific questions sets to the vendors themselves.
  • If you go to the Vendors page, select the vendor, and then Security Reviews...here you can change the question set.

In our list of vendors I have both Atlassian and JIRA. I want to remove Jira (because that is a product of the Atlassian company.) If I archive Jira from the list of vendors, does this have any impact on the integrations we have with Jira?

  • Archiving a vendor that has a related integration will not archive the connection. The vendors and the integrations are considered separate in the platform.
  • You will be able to safely remove the Jira vendor, while keeping the Jira connection.

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.