Reviewing in-scope vendor compliance reports is critical to ensuring that third-party vendor diligence is conducted and maintained on a yearly basis.
This requirement allows you to effectively evaluate each vendor and take appropriate action for material deficiencies or concerns.
Whether you procure those vendor compliance reports online, or send a Security Questionnaire for evaluation, Secureframe's vendor portal is an easy to use and lightweight way to request documentation.
Video walkthrough
Configuring a vendor questionnaire question set
- To get started, we’ll first make sure we’ve configured a questionnaire template. To do this, click into the Vendor review area of TPRM.
- Then, select the Question sets tab and then Create question set. In this modal, enter the name of this set, i.e. “High risk vendor questionnaire,” add an optional description and make sure that the type is “Vendor questionnaire.”
- Then, click Create. You’ll be dropped into the empty question set screen and you’re ready to start making questions. You can either add questions one by one or upload a CSV or Excel document containing a longer list of questions.
Sending a questionnaire and request for documents to a vendor using vendor portal
- To actually send the questionnaire, we’ll click into a scheduled review of our vendors in our review pipeline.
- Start a review of vendor within the schedule.
- On the review screen, we can now see the Vendor portal button on the top right. Click this and I’m prompted to check on a few details before sending the questionnaire. By default, the Portal recipient will automatically fill with the associated account manager email address on file with this vendor and the Reply to address (meaning the email address the vendor can respond to with any questions about your request for information or documents) will be pre-filled with your company’s vendor owner email address.
-
Last, we’ll just make sure that the vendor questionnaire template we just created is selected in the Vendor questionnaire dropdown.
- Clicking View preview link shows you a depiction of the portal itself that our vendor will see. They’ll be prompted to upload a filled-in security questionnaire, as well as any supporting compliance reports and documentation.
- Click Generate and send. Doing this simultaneously sets our portal URL live and sends the vendor an email that looks like this.
What vendors see when you send them a portal link
When vendors click this link to the portal, they’ll see simple webpage containing buttons to upload a filled-in security questionnaire and also to upload supporting compliance documentation. When they upload a file, the vendor will specify a document type and add any additional description.
Vendors will then click Submit and then confirm. Once the vendor does this, any uploaded files will be pushed into Secureframe TPRM and show in the corresponding review screen. The portal will be closed to any more uploads. If you require additional documents, you can always resend a portal link later.
You will receive an email whenever a vendor uploads completed documentation. Clicking the Go to review link will navigate to vendor’s review in your Secureframe account. Clicking on the Questionnaires tab will show the filled-in version submitted by the vendor, along with any reports they uploaded in the Documents tab. You can then read through these and flag any findings as normal.
Frequently Asked Questions (FAQ)
What Vendors do I need to include in my review?
- Any vendor that has access to or manages sensitive customer data is considered in scope. Consider vendors that provide services like cloud storage, payment processing, customer support, and more.
- While you can conduct reviews on all vendors, we recommend you focus your reviews on high-risk vendors.
- The objective here is to understand the potential risks associated with using a vendor's product or service, and to ensure that quality are being maintained.
- If a vendor doesn't have security documentation like a SOC 2 Report, you can send them a security questionnaire from our Vendor section of the platform.
Below is a list of links to common vendor's security reports:
- AWS: SOC 2 request
- GitHub: SOC 2 request
- Atlassian: Atlassian security
- Google: SOC 2 & SOC 3 request
- Slack: Slack security
- Secureframe: SOC 2, ISO, GDPR and more
- Azure/Office: Azure/Office security
- GitLab: GitLab security
- Bitbucket: SOC 2 request
Do I need to complete Vendor security reviews on all my vendors?
- No, only those that are considered High or Critical vendors.
My vendor doesn't have a SOC 2 or any report, what should I do?
- If your vendor does not currently have any compliance reports to share, you can send them a Security Questionnaire to fill out directly from with-in the Secureframe Vendors page.
What specifically are my Auditors looking for in Vendor reviews?
- Auditors will want to see a Security Report like SOC 1, SOC 2, SOC 3, ISO 27001, etc...for those Critical and or High Risk Vendors.
- If your vendors do NOT have these reports, then you will want to examine that vendor through a Security Questionnaire to evaluate their security best practices and procedures.
Comments
0 comments
Please sign in to leave a comment.