How to manage vendor remediation requests with UpGuard

Manage remediation requests for your third-party vendors using UpGuard Vendor Risk.

Written by Caitlin Postal

With UpGuard Vendor Risk, you can manage all of your vendor-related remediation activities. You can create, access, and respond to remediation requests sent to your vendor. Each remediation request outlines the risks that need to be remediated, the requester, and any correspondence between you and your vendor. You can access current vendor remediation risks in the Remediation section of Vendor Risk, or you can assess requests by vendor.

This article includes sections that guide you through how to access your remediation requests, how to send a vendor remediation request, how to update an existing remediation request, how to export your internal requests, how to complete requests, and how to archive individual requests.

Navigate to the Remediation option under Vendor Risk in the side navigation menu. From the Remediation page, you can review a list of your active remediation requests. You can also create new remediation requests from this page.

You can also review requests by type with the tab options:

  • Active

  • In progress

  • Awaiting review

  • Completed

  • Archived

  • Drafts

Each row displays the vendor, the title of the request, the risk categories involved in the request, the number of open risks, the number of impacted assets, the last updated date, and the current status. You can select any request from the list to access additional details about the request or to update it as needed.

Requesting remediation from a vendor

As you manage potential risk findings, you may need to involve additional parties in the remediation process. You can open a remediation request with the following methods:

  • Review a specific vendor’s Risk Profile and request remediation for identified risks.

  • Navigate to a specific vendor’s Remediation page to select risks for a remediation request.

  • Open a remediation request based on evidence identified in a vendor’s risk assessment.

  • Use the Remediation module within Vendor Risk to select a vendor, then select risks to include in a remediation request.

The vendor-specific flows are the most common method used to open remediation requests with a vendor. This section will guide you through the first option: creating a remediation request from a vendor’s Risk Profile.

To begin, navigate to a specific vendor’s Risk Profile. You can initiate your remediation request with the Request remediation button, which is available for all identified risks and for individual risks.

You can then select the risk findings that will be associated with this request. Your list may differ from the risks included in the sample image. If you have not sent a questionnaire to the vendor, you will only be able to select risk findings that result from automated scanning. You may wish to send a security questionnaire to your vendor so that you can account for other types of remediation needs.

All findings appear with highest severity first, by default. Each finding will also list the impacted assets. You can expand the row to identify all domains and IP addresses associated with the finding. You can also use the search bar to find specific risks, or use the dropdown feature to view risks in a given category.

As you select specific findings to incorporate in this request, the remediation planner will evaluate how resolving these risks will impact your security rating. You can use dynamic estimation to evaluate how remediation will affect your organization.

When you are satisfied with the selection of risks, press Confirm and next to proceed to the Review and send page.

From the Review and send page, you can supply the vendor's contact information, set a scheduled due date, and draft a message to communicate the needs associated with the full request. When you are ready, press Submit request to send the request to your recipients.

After the request has been sent, you will be able to track progress in the Remediation requests table on the Remediation page.

You can select any request from this table to review the status or update the request as needed.

Editing an existing vendor remediation request

If you need to update an existing remediation request, select the corresponding request from the list in the Remediation requests section. The Remediation Request details page will open with a summary of the request, additional information about the risks that are under remediation, any correspondence about the requests, and the current progress state with a timeline of events.

You can add or remove risks from this request from the Risks section. You can also access additional information about specific risks and impacted assets from the list of risks.

You can update the status request in the Summary section. You can update the title of the request, change the deadline, and add additional collaborators.

You can also use the Messages option in the upper right to communicate with your collaborators about this remediation request. Click the Messages button to open the messaging pane.

Exporting vendor remediation requests

You may want to export remediation activity to incorporate the information into a stakeholder report. You can export a full set of remediation activities or an individual remediation request from the UpGuard platform. Our export feature supports PDF and Excel formats, which you can select according to your needs.

From an individual request's page or using the multi-select option on the Remediation page, identify which requests you plan to incorporate into the export report, then press the Export button.

You will have the opportunity to define the export details.

Select the following information to include in your export:

  • Format: You export information as either a PDF or an Excel document.

  • Select remediation requests to export: You can select which category of requests to include in the report.

  • Select information to include in export: You can add risk details and impacted assets to the report.

  • Frequency: You can export a single report, or create a recurring export to generate on the cadence you supply.

  • Report delivery: You can export these requests within UpGuard's Reports section and you can also send the report directly via email.

If you are exporting a single remediation request, you will be able to apply this additional parameter:

  • Select which sections you would like to export: You can include different types of risks (unremediated, partially remediated, waived, and remediated) with additional descriptions and impacted assets. You can also opt to include a timeline of events for the remediation request.

When you are satisfied with the information configured for the report, click Export. The exported remediation request will be delivered in the method you selected. You can navigate to the Reports section to access the newly generated report containing the details for the requests you selected.

Archiving vendor remediation requests

If you have an extensive list of completed remediation requests or you no longer wish to proceed with an in-progress request, you can archive any request to remove it from the active requests panel. You can archive individual requests or a set of requests.

From your Remediation page, identify which request you wish to archive. Click the archive icon to archive a single request. Or select multiple requests and use the Archive button that appears. You can also archive an individual request from that request's details page.

A modal will appear, where you can confirm that you intend to archive this request.

From the Archived tab, you can reactivate requests to move them back into your Active queue.

You can also delete archived requests, which will remove all data associated with the request. Deletion cannot be undone, so it is important to be sure that you do not wish to maintain a record of this remediation request.

Further reading

For more information on remediation in UpGuard, read these articles next: