While we recommend that you use UpGuard's security questionnaires and automated scanning tools to assess your vendors, in some situations you may need to capture additional evidence about a vendor.
For example, you may send an UpGuard questionnaire to a large SaaS vendor only to be directed to a page on their website that proactively publishes complete security questionnaires, audit reports, and certificates. These documents can provide insights into the vendor's security posture and attack surface.
Our additional evidence feature allows you to capture and store this security or compliance-related documentation and any identified risks. Once identified, you can choose to include these risks in the vendor's risk profile, and cite them as part of your risk assessment for a vendor.
Note: There is a maximum file size of 10 MB on each upload.
Capturing additional evidence
Step 1: Monitor the vendor
Before you can capture evidence, you need to be monitoring the vendor. If you aren't currently monitoring the vendor, you can learn how to monitor them here.
Step 2: Select the vendor
If you're already monitoring them, you can find the vendor by clicking on the "Vendors" section under Vendor Risk in the sidebar.
In the example below, I've chosen example.com as the vendor and clicked on "Additional Evidence".
Step 3: Upload a new document
To get started, you can either:
Click "Upload new document"; or
Drag a file into the upload box.
Step 4: Name additional evidence
It's time to:
Name the additional evidence: By default, it is the name of the uploaded document with the date appended to the end.
Choose a document type: Choose between a questionnaire, SOC 2 report, ISO 27001 certificate, audit report, or other.
Record any comments: If necessary, leave your comments on the document by clicking on the comments section.
Name the document you uploaded: By default, it is the file-name of the uploaded document and its extension
Step 5: Capture identified risks
Now that you've named, labeled, and commented on your document, it's time to add identified risks by clicking "Add risk".
From here, follow the steps to add a specific risk to the document. You can either choose to use a previously created risk type or create a new one. In the screenshot below, I've chosen one that was previously created.
To create a new risk type, click on the observation text box and type your risk and click create:
From here, you'll need to enter the impact/consequence of the risk as well as its severity. When you're done, click "Add Risk".
Repeat this step as necessary until you've added all identified risks.
Step 6: Choose to include or exclude identified risks
Toggle to the right if you want to include the identified risks in the vendor's risk profile.
If included the finding, severity, and impact are displayed in the vendor’s risk profile.
And you will be able to cite the information inside our risk assessment feature under supporting evidence.