Our Vendor Risk Report feature generates a downloadable PDF that summarizes the security posture of any of your monitored vendors. The report is designed to be shared with internal and external stakeholders who are not UpGuard users, such as a colleague, board member or employees of the associated vendor.
The language is simple, easy-to-understand, and suitable for non-technical audiences.
When shared with colleagues, reports can be used to drive decision-making, speed up vendor due diligence, and highlight high-risk vendors that should no longer be used.
When shared with vendors, the report can aid in remediation efforts. Giving vendors access to their risk profile creates open, effective dialogue and empowers them to take action to remediate risks. This directly translates to a reduced risk for your organization.
To aid in remediation efforts, the report unpacks the vendor's security posture into eight underlying categories: questionnaire, risk assessment, website, email security, network security, reputation, phishing & malware, and brand protection.
Each category outlines individual risks, domains impacted, and provides remediation advice. The most severe risks in each category appear first.
What makes these reports so effective is UpGuard’s ability to combine real-time threat signals with traditional risk management techniques. This combination provides a complete picture of the vendor’s cybersecurity risk.
Reports can be based on a risk assessment conducted on the UpGuard platform or a combination of automated scanning results, security questionnaires, and additional evidence. If a report is based on a risk assessment, automated scanning results (and any other information) will be based on the data available at the time of the assessment. Otherwise, results are based on the latest available information.
These configuration options provide flexibility, while ensuring that the report can provide a complete overview of your vendor’s risk profile.
If you would like to cobrand vendor risk reports, please reach out to us via firstname.lastname@example.org or by clicking the chat icon in the lower-left corner of your screen.
Generating a report
Step 1: Monitor the vendor
Before you can capture evidence, you need to be monitoring the vendor. If you aren't currently monitoring the vendor, you can learn how to monitor them here.
Step 2: Select the vendor
If you’re already monitoring the vendor, you can find the vendor by clicking on the “Vendors” section under Vendor Risk in the sidebar.
In the example below, I’ve chosen UpGuard as the vendor.
Step 3: Start the process
To get started, click “Generate Vendor Report” in the top right of your screen, next to “Export”.
Step 4: Risk assessment configuration
If you have completed a risk assessment for the vendor, you can choose to base the report on the risk assessment.
Selecting a risk assessment as the basis for the report means that the selection of data sources can be skipped - all data will be drawn from the data sources used for the assessment. This means identified risks and security ratings will be as at the date when the assessment was published. For example, if you published an assessment on 26/08/2020, all data would be from that date.
If you don’t choose to base the assessment on the risk assessment, the report will use the latest available data which can be configured in the next step.
Step 5: Data source configuration (optional)
As noted in step 4, you will only see this screen if you choose not to base the report on a risk assessment. In this step, you can choose to include automated scanning, security questionnaires, and additional evidence as shown below.
Your configuration choices will determine the set of risks that appear in the report.
If you haven’t received a completed security questionnaire and/or added any additional evidence, your screen will look similar to below.
Step 6: Risk details configuration
Now you need to configure the inclusion of risk details. We recommend including risk details as it allows the vendor to see which sites are impacted by each identified risk. Risk details provide context to your vendor and aid in remediation efforts.
Step 7: Download report
Like all exports in the UpGuard platform, your report will be made available for download via our reports page.
- What is the Vendors section?
- What is included in a vendor's vulnerabilities?
- What details can UpGuard Vendor Risk provide about a vendor?
- How to add a new vendor
- How to remove a vendor
- What is the difference between an instant report and a monitored vendor?
- How to capture additional evidence
- How to complete a risk assessment