UpGuard's third-party risk management services lets you offload the work of assessing your vendors to our team of security analysts.
Add a Vendor
To add a vendor to your Managed Vendors, you must have the Vendor Management Admin permission. If you don't have this role, please contact your account administrator.
If you have the required permissions, you should see Managed Vendors under Vendor Risk in the sidebar.
Alternatively, you can use this link: Managed Vendors
If this is your first time adding a managed vendor, your screen will look similar to the screenshot below. Click Request a managed service.
If you or your team have added a vendor in the past, your screen will look similar to the screenshot below. As above, click Request a managed service to add another.
If a vendor has a currently active managed service a new managed service can not be requested again until the current one is marked as complete by an analyst. Such entries will be disabled.
After a vendor is selected you can proceed to the next step
Request New Assessment
When you click Request New Assessment, you’ll be asked to select your vendor. You can search by name or URL. In this example, I’ll be adding Canva as a managed vendor by searching for Canva. When you are happy with your selection, click Confirm and next in the bottom right corner of your screen.
From here, you’ll be taken to Managed service details which let you specify:
-
Select a service level (if your organization has purchased more than one type)
-
Vendor contact information
-
Vendor importance
-
Whether the vendor has been notified to let them know that UpGuard will be assessing them on your behalf
-
Your relationship with the vendor
-
Any other information you wish to provide
Vendor information
In the next step, you will need to fill in some basic information about the vendor such as contact, tiers, and labels. A contact and tier must be selected to proceed to the next step. Existing contacts for that vendor will be listed, alternatively, you can enter a new contact.
Assessment information
The final step is to fill in information about the assessment to be performed, this information is intended to be viewed by the analyst to guide the assessment. This information included the service level and various questions required by the analysts.
In general, more information is better as our analysts will use this information to establish the required scope of the service and to identify any areas that need to be focused on.
Once you are happy with the information you have provided, click Submit in the bottom right corner of your screen to add the vendor to your Managed Vendors.
Once you have submitted your request, we'll send a notification to our team of analysts who will be assigned to the task. If there are any special considerations for the scope of the assessment or its due date, you can reach your analyst by contacting support or through in-app chat.
Managed Service Status and Tiers
You can keep track of the status of any active requests here too. Depending on the service level of your request, there are many possible statuses.
To see the details of a request and edit it select it from the list of requests. Customers can edit or delete a managed service after it has been requested in this view. Once an analyst has started work on the managed service customers can no longer downgrade the service level or delete the request.
Changing the service level
The service level can be changed by clicking the edit icon next to the service level. This will bring up a modal allowing them to request a new service level. Once the assessment has been started by an analyst the service level can not be downgraded, ie if the service level is risk assessment, once started it can be changed to risk remediation but not evidence gathering. The edit icon will only appear if it is possible for the customer to change the service level
Analysts can override the service level at any time, so if a customer needs to downgrade the service level after the assessment is started they can contact the analyst to negotiate this change.
Deleting requests
If a customer requests a managed service by accident or changes their mind, they can delete a request using the delete request button in the top right. This option is only available if an analyst has not started work on the assessment.
Analysts can still delete requests after the managed service has been started. If a customer needs to delete a started managed service they can contact the analyst to negotiate this.
Editing assessment information
The assessment information can be edited at any time by clicking the edit icon.
Other information
Other information included in the details view includes:
-
The vendor this service is for
-
The service status
-
The vendor contact
-
The analyst assigned (once the assessment has been started)
-
The date requested
-
The date updated
-
The date completed (once completed)
-
Notes added by the UpGuard analyst to communicate any further detail about the request or request status
The progress of the request is also shown, including assessment, questionnaire and remediation status based on the service level selected. Detailed status information as follows:
Evidence chasing:
-
Requested: Your request has been submitted to our team of analysts but work has not yet started.
-
Gathering Evidence: Your analyst has sent a questionnaire to the vendor.
-
Reviewing Evidence: The questionnaire has been submitted by the vendor and is being reviewed by the analyst along with any additional evidence provided.
-
Complete - View Questionnaire: The questionnaire is complete and is available for you to review.
Risk assessment:
-
Requested: Your request has been submitted to our team of analysts but work has not yet started.
-
Gathering Evidence: Your analyst has sent a questionnaire to the vendor.
-
Reviewing Evidence: The questionnaire has been submitted by the vendor and is being reviewed by the analyst along with any additional evidence provided.
-
Performing Risk Assessment: Your analyst is assessing the vendor based on UpGuard's automated scanning results, the submitted security questionnaire, and additional evidence provided.
-
Complete - View Risk Assessment: The risk assessment is complete and available for you to review.
Risk remediation:
-
Requested: Your request has been submitted to our team of analysts but work has not yet started.
-
Gathering Evidence: Your analyst has sent a questionnaire to the vendor.
-
Reviewing Evidence: The questionnaire has been submitted by the vendor and is being reviewed by the analyst along with any additional evidence provided.
-
Performing Risk Assessment: Your analyst is assessing the vendor based on UpGuard's automated scanning results, the submitted security questionnaire, and additional evidence provided.
-
Planning Remediation: Your analyst will work with you to determine which risks should be remediated and create a remediation plan.
-
Remediating Risks: The remediation plan has been submitted to the vendor. Your analyst will work with the vendor to remediate the identified risks.
-
Reviewing Remediation: Your vendor has submitted the remediation plan for review, the analyst will review the results to determine if the vendor has remediated the identified issues.
-
Complete - View Risk Remediation: The remediation workflow is complete and available for you to review.
You can export information related to your Managed Vendor requests by selecting export from the Managed Services screen.
As our third-party risk management services work on a yearly cadence, the status of your requests will move to Annual Review Coming Up after 10 months of being complete and then to Annual Review Overdue after 12 months. This ensures that your vendors are assessed on an annual basis.
See also: