VENDEFENSE

Simplify. Standardize. Defend.

How To

Invite Team Members

The first step in VENDEFENSE is to add and invite team members to help with the workload.

To invite people to join  your team:

  1. Add the appropriate business unit the team member belongs to by clicking the avatar icon in the upper right corner, and select “Program Settings.”
  2. Click on the Business Units tab.
  3. Click in the text field and type the appropriate business unit. (Examples include account, sales, legal, IT, etc.) Then click “Add.”
  4. Once the business unit is added, click on the “Invite” button.
  5. Type the appropriate information to invite the team member.
  6. Once the “Invite Team Member” form is saved, an invitation email will be sent and the team member will be invited to join.
  7. Once the team member joins, they will show up in the team panel to the right of the vendor list.

Add Vendors One at a Time

There are two ways to add vendors. They can either be imported through an excel document, or they may be added one at a time.

To add a vendor one at a time:

1. Click on “Add Vendor” and select “Single Vendor.”
2. Fill out the corresponding form.
3. To change the relationship owner, click on the change text and type the appropriate name.
4. Click “Save Vendor” when complete.

Import Vendor List Using Excel (.xls file)

To cut down on manual entry, VENDEFENSE allows the user to upload an Excel file containing all vendor information.

To upload the .xls file:

  1. Go to “Add Vendor” and select “Download our import template.”
  2. This will download an Excel document.  Populate the Excel document with vendors to be added.
  3. Once the Excel file is populated, click “Add Vendor” and choose “Import” from the drop-down menu.
  4. You’ll see a list of vendors that will be available for import, then click on the blue “import” button.
  5. Repeat this process as desired. There is no limit to how many times the import template can be imported.
  6. Refresh the import window once complete and the vendors will populate.

Confirm Classification

Once the vendors are in VENDEFENSE, they need to be classified as High, Medium or Low risk.

To complete the questionnaire:

  1. To classify the vendor, the Relationship Owner will complete the questionnaire of fifteen questions, and then click “Submit.”
  2. Once the questionnaire is complete, the Risk Manager will review the questionnaire results and confirm the answers by clicking on the “Confirm” button.

After completing the questionnaire, the risk manager will have the option to either confirm or override the assessment results.  It is not recommended to override the questionnaire results to a lower impact level (i.e. changing a medium-impact vendor to a low-impact vendor), as it will directly impact the effectiveness of this assessment tool.  However, overriding the questionnaire results to a higher impact level (i.e. changing a medium-impact vendor to a high-impact vendor), won’t corrode the effectiveness of the results.  In order to move to the assessment portion of the process, the Risk Manager will have to confirm the assessment results.

Conduct Vendor Self-Assessment

Your high- and medium-risk vendors should complete a vendor self-assessment.

  1. Once logged in, the vendor will be prompted to complete the assessment.
  2. The assessment has three possible answers to each question: N/A, True or False
  3. For a vendor to answer true, all parts of the question have to be true; otherwise, the vendor will have to answer false.
  4. The vendor can skip questions, but all questions must be answered before being submitting.
  5. Once completed, the vendor will receive a FISASCORE between 300 and 850.

Request Remediation

The remediation process gives the vendor a chance to improve their FISASCORE.

To assign a task for remediation:

  1.  Select the vendor from the “List” or “Dashboard.”
  2.  Click on the active text for one of the items the vendor should remediate.
  3.  Click on the “Select” button and add text, attachments and a date, if desired. (Clicking the “Selected” button again will toggle it back to “Select.”)

Important to note: If the date field is left empty, the Risk Manager will have the option to assign a date by clicking on the “Assign Tasks” button.

The vendor will be notified that they have been chosen to go through the remediation process, and the Risk Manager will have the option to choose what they want the vendor to improve.  The logic behind the remediation process is that the client wants to do business with the vendor, but also wants the vendor to improve their security procedures.  Through the remediation proces, the vendor will have the opportunity to improve their FISASCORE.

Accept/Reject Vendor Evaluation

Once the vendor goes through the assessment and the remediation process (if chosen), there’s an option to either accept or reject the vendor.  The option to either accept or reject the vendor is typically done after the assessment process, and accepting or rejecting the vendor will end the remediation or assessment.  Accepting a vendor implies that the client is aware and accepts the possible risks of the vendor.  Rejecting a vendor typically means that the client will not accept the risks and will not do business with the vendor.  It is the client’s responsibility to communicate the termination of the relationship to the vendor.

To either accept or reject a vendor:

  1. Click on the vendor in either the “List” or “Dashboard” view.
  2. Click on “Evaluation” and either choose “Accepted” or “Rejected” from the drop-down menu.
  3. If accepted, the vendor will be prompted to complete another assessment in a year from the date it was accepted.

Important to note:  The following year, the client will be asked to complete another questionnaire, and the vendor will be asked to complete the assessment.  If given the same impact level, the vendor will have the option of submitting the same answers from the previous year.  The vendor will have the option of changing their answers, and they will want to if it improves their FISASCORE.  

FAQ

What is the difference between medium and high assessments?

After taking inventory of all vendors, the internal relationship owner (team member) will be prompted to complete a classification questionnaire on each vendor.  This questionnaire will capture the vendor’s scope of project/service and determine the impact of each vendor relative to the client. The questionnaire results in the vendor being given a low, medium, or high impact.  If a vendor is considered as having low impact, the assessment is complete.  Vendors that have a medium or high impact will be given an assessment respective to their rating.

A medium-impact vendor is one that poses some inherent risk to the organization due to the access they have to critical information while delivering their product or service. However, these vendor relationships are not likely to cause significant damage to the organization should an adverse incident occur.  Since the medium-impact vendor will have a lower impact in the case of an adverse event, the same extensive assessment will not be necessary for this particular vendor.

A data breach or information security incident related to a high-impact vendor could cause grievous harm to the organization in terms of financial losses, reputation damage, and/or regulatory actions.  A more extensive questionnaire will be necessary to assure that the client is defensible in the case of an adverse incident.

It’s important to note that a medium- or high-impact classification is relative to the client.  For example, a vendor may have a medium-impact classification for one client, and a high-impact classification for another.  The reasoning behind the classification step is to ensure that vendors receive the attention appropriate to their impact.

Classifications are based on these areas:

– Industry Sector: Certain industries are more prone to threats than others.

– Record or Data Type: Are confidential records shared with or accessed by this vendor?

– Record or Data Amount: How many confidential records are shared with or accessed by this vendor?

– Record or Data Amount: How many non-confidential records are shared with or accessed by this vendor?

– Access Method: Does this vendor have physical or logical access to the organization?

– Record or Data Transfer: Is confidential information taken offsite by this vendor?

– Product or Service Criticality: Does this vendor provide a service that is mission critical to the organization?

To answer the question directly, the primary difference between the assessments are based relative to an adverse impact on the client in the case of a breach, and the assessment length reflects this impact.

Can I pre-determine or delete sections of questions that I don’t think are pertinent to the vendor being audited?

No.

The purpose of using VENDEFENSE is to objectively rate the risk of each vendor.  Deleting and pre-determining questions will actively work against this purpose.

It is true that a client can override a classification in order to send out a shorter questionnaire, but it is not recommended unless it is to increase the impact of the vendor (i.e. classifying a medium-impact vendor to high impact.)  By overriding a classification to a lower impact, the client is not using the program as intended and will leave themselves open to vulnerabilities.  In addition, any assessment that has been altered (questions removed or added) will not result in a FISASCORE, map to remediation, or be reusable for the other customers who send evaluation requests.

Currently, there is not an option to add additional personalized questions in the assessment itself.  However, we are able to add customized questionnaires to capture the same information.

What happens if a vendor isn’t honest?

The assessment methodology within VENDEFENSE relies on self-assessments, and there is a possibility that a vendor can be dishonest.  Here are a couple of things to consider when the value of these self-assessments is questioned:

Completing due diligence

Due diligence requires that Risk Managers assess all of their vendors according to the vendors’ access to critical information. Vendors with high or medium impact must be evaluated using a comprehensive assessment methodology tied to industry standards. Ad hoc application, unsubstantiated exceptions, and/or subjectivity will not stand up in court. Due diligence requires reasonable action. The organization needs to ask the right questions of the vendor to be defensible, even if the vendor chooses to lie. Before beginning the assessment, VENDEFENSE requires vendors to sign off on the truth of their responses. In the case of litigation, this acknowledgment can be used against the vendor to prove culpability. The audit log in VENDEFENSE can also be used to prove progress towards risk mitigation.

Validating a FISASCORE

VENDEFENSE does provide an option for the vendor to validate their FISASCORE.  Validating a FISASCORE entails a third party going through the assessment and validating the truth of each statement.

More than just data 

VENDEFENSE is more than just vendor risk management.  Behind every piece of data is a person, and as a business, we owe it to them to make sure that their data is secure.  We should do this, not just because of the fear of legal action, but because it’s our personal responsibility.  VENDEFENSE facilitates these conversations and points out vulnerabilities so that both client and vendor can become better together.  More importantly, it’s better to have these conversations now, before it becomes an issue later.

How do I know if the items I selected and assigned in the remediation portal actually went out?

During the remediation process, the Risk Manager can determine whether an email was sent by the “selected” button and the “assign tasks” button.

In the sample above, the tasks have not been assigned to the vendor.  The remediation items have been selected, but the tasks have not been assigned.  In order to finish assigning these tasks, the Risk Manager must click on the “assign tasks” button.

To assign a task to a vendor:

  1. Click on the item so the accordion style menu opens.
  2. Add any attachments and/or type any text that should be visible to the vendor.
    • Important to note: Any communication within these fields will not be shown until the tasks have been assigned.
  3. Add a due date if applicable.
    • Hint:  If multiple tasks have the same due date, leave the due date field empty. When the “assign tasks” button is clicked, there will be an option to assign all tasks with one date.
  4. Click on the “select” button.  Once toggled, the button will show as “selected.”
    • Important to note: To de-select the option, click on the button again and it will toggle back to “select.”
    • Any communication within these fields will not be shown to the vendor until the tasks have been assigned.
  5. Click on “Assign Tasks.”
  6. Client may be prompted to select a due date if any due date fields were left empty.
  7. Calendar will show when clicking in the empty field.

How long should all of this take?

This chart shows all the phases of the evaluation process and the user that has an active part in providing information and/or communicating.  The chart will show the active participants and the timeframe in which to complete tasks.

Phase Time Line User Context
Onboarding 1-2 days Risk Manager The risk manager (RM) is typically responsible (admin) for setting up and arranging users and their privileges.
Inventory on-going as needed Risk Manager During this stage, the RM will be assigning relationship owners to vendors.  As business relationships change, it’s important to keep this inventory list as current as possible.
Classification 1-2 days Internal relationship owner The relationship owners primarily are the users that would be answering the questionnaire, as they work more directly with the vendor.

The classification phase is easily one of the most important phases of the program, and the questionnaire should be answered as completely and thoughtfully as possible.  There are only 10-15 questions during this phase, but this phase will determine the impact level relative to the client.

Assessment 28 days Vendor During this phase, the impact level is determined, and the assessment is sent to the vendor.  The assessment can take 4-5 hours to complete, and it’s very comprehensive.

The vendor will also have to set up their team and assign questions to team members that would have access to the information being asked on the assessment.  With all of this in mind, it’s not uncommon for this to take longer than 28 days.

Treatment 3-6 months Vendor/Risk Manager Depending on the treatment that’s selected, this can take up to 3-6 months.  There is an option to accept or reject the vendor right away without validation or remediation.  This is typical for vendors that either score really high or really low, respectively.

The client may choose for the vendor to go through validation.  This will involve scheduling a third party to go through the assessment process, which may have to be scheduled months in advance.

Another option that the client may choose for the vendor would be remediation.  During the remediation process, the client will choose items for the vendor to improve upon.  These items will take time to implement and enforce, and evidence will have to be presented to the client that these items have been corrected.

Final Outcome 1 year Risk Manager After the assessment and treatment, the client will have three options on how they will want to handle the risk of the vendor.

The client has the option of choosing “accepted” as the final outcome.  The vendor’s evaluation will be approved without further discovery into risks.  A follow-up evaluation will be scheduled in 365 days.

The client also has the option of choosing “accepted with risk agreement.”  When this option is chosen the vendor’s evaluation will be approved with the full acknowledgment of outstanding risks, and a follow-up evaluation will be scheduled in 365 days.

If “rejected” is selected, the vendor’s evaluation will end without further discovery into risks.  It is the client’s responsibility to inform the vendor of their decision.