Monitor and remove vendors, access detailed information about your monitored vendors, and keep track of vendor assessments.
UpGuard's Vendor Risk is a self-service platform where you can automate your third party risk assessment workflows, receive instant notifications about your vendors' security, and streamline the vendor lifecycle management in a centralized dashboard. With Vendor Risk, you can monitor vendors that you have a relationship with, access information about your monitored vendors, manage vendor assessments, and set up notifications to alert you if a vendor's status changes. You can also send questionnaires to vendors to help you communicate and resolve potential risks.
In this guide, you will add new vendors in the UpGuard platform, as well as vendors without a current web presence. You will also access your vendor list summary for an overview of your monitored vendors' security risk postures.
Ensure that you have set up access to your company's account within the UpGuard platform and that you are logged in. Find the Vendor Risk heading in the left navigation menu and select the Vendors option to load your Vendors page. If you are already monitoring any vendors, they will appear here, organized by portfolio. If you have not yet added any vendors, the list will be blank.
To monitor a new vendor, press the Monitor new vendor button. A search box will appear where you can specify the vendor you want to add.
Type the URL of the vendor you want to monitor in the search field. UpGuard identifies vendors by their URL, though you can also search by the company's name. Entering the URL returns the most accurate results. If you are already monitoring a vendor with that URL, that company will appear in the Monitored Vendors list. If you are not yet monitoring that vendor, potential matches for that URL appear in the All search results list.
Your search may return more than one result. Select the URL for the vendor you wish to monitor. In this article, the URL example.com is used.
Once you select a vendor to monitor, the Monitor page for that vendor opens, where you can add more information about your relationship with the vendor.
Customizing your relationship with a new vendor
When you begin to monitor a new vendor, you can configure several options that define your relationship with that vendor. The Vendor summary box presents basic information about the vendor, including their current security rating. You can edit the Name field if desired. You can also select the vendor's industry from the Industry drop-down list, and you can add any notes specific to this vendor in the Notes field.
To initiate your relationship with the new vendor, you can send them an introductory questionnaire from the Vendor Relationship Questionnaire section.
You can categorize vendors in specific portfolios using the portfolio button in the heading. All monitored vendors must belong to at least one portfolio. See How to use portfolios to segment your vendors for more information on portfolios. If you have no portfolios configured, the Suppliers portfolio is selected by default.
In the Vendor tier section of the page, you can assign a tier to the new vendor. For more information about vendor tiers, see How to tier your vendors in UpGuard.
In the Labels section of the page, you can add one or more labels to specify the type of relationship you have with this vendor. These labels will be reflected in the vendor list within UpGuard. You can also create and apply your own custom labels from this page.
If you have other information you want to add about a vendor, use the Custom Attributes section. Press the Add attribute button, and the Add custom attribute modal will appear. You can add a custom attribute with a name and a value. That value can be text, a number, a date, a single-select list, or a multi-select list.
After you've finished customizing the vendor, press the Monitor vendor button. The vendor will be added to your list of monitored vendors, and the Vendor Summary for that vendor will open.
Importing vendors in bulk
To add vendors to list of monitored vendors, you can import a list of domains manually or by uploading a CSV file with vendor domains and additional information. Press the Import button on the Vendors page.
A modal will load with the option to enter a list of domains manually or upload a CSV file.
Your list of new vendors to be imported will appear. You can review this list for any corrections, then press Complete import when satisfied. You can also Start new import if needed. To add vendors in bulk with tiers, labels, portfolios, and custom attributes, use our guide on Importing Vendors, Tiers, Labels, Portfolios and Custom Attributes in UpGuard.
You can also bulk import vendors using the UpGuard API. Read our article on How to bulk import vendor information for support making this API call.
Adding a new vendor with no web presence
If you need to monitor a vendor without a web presence, you can add them manually in the Vendors module. Press the Monitor new vendor button to add a new vendor.
Before adding a vendor with no web presence, confirm the vendor actually has no web presence with our search function. You can input either the vendor's name or their URL to search for vendors. UpGuard will automatically scan a URL to find vendors and their associated assets. Use the Attempt to scan input_vendor_info option to run a new scan.
If our scans cannot find a vendor with that web presence, a modal will load with the option to Create a vendor with no web presence.
You can add the vendor's name and industry in the modal that loads, then press Create new vendor to add the vendor.
You'll then load the same page for adding a new vendor with the options to configure additional details, such as a business relationship, any relevant labels or tiers, and more. Include all the relevant relationship labels to ensure that your new vendor is categorized appropriately. Adding the relationship type will ensure that your organization can maintain clear communication with vendors that have access to privileged information.
Once you have finalized this information, click Monitor vendor to add this new vendor to your vendor portfolio. When the vendor has been added, your screen will load their vendor summary page. You can then send questionnaires, upload additional evidence, and create a risk assessment. Vendors need to return a questionnaire to receive a security rating, which will then activate the risk remediation workflow for your vendor relationship.
Viewing your vendor list summary
Once you have added vendors, your Vendors page will display a list of vendors being monitored, their security rating, and their risk assessment status. You can also add new vendors directly from this page.
You can organize this list using any of the headings, such as by tier or by date of assessment. You can also provide additional information in the Labels column, such as type of vendor relationship or other custom attributes.
You can customize your vendor table display using the Show fields option and retain this view for future sessions.
With the Assessment Summary option, you can access a summary of the risk assessment status across your vendors. The summary lists the number of vendor assessments that are in progress, overdue, due in the next 30 days, due in less than 30 days, not scheduled, and not assessed. You can use this summary to keep track of upcoming and overdue risk assessments.
With the Tier Summary option, you can generate an overview of how many vendors are categorized into which tiers. Vendor tiering categorizes vendors based on their threat criticality. You can use this option to focus your risk management efforts on vendors who pose higher security risks.
See also: