UpGuard allows you to create and store risk assessments for any of your monitored vendors. The risk assessment feature allows you to:
Document your findings based on this evidence
Record who conducted the assessment
Set a reassessment date
Export the assessment as a PDF
Make the assessment visible within the app to all the users of your account
Creating a risk assessment
Step 1: Monitor the vendor
Before you can create a risk assessment, you need to be monitoring the vendor. If you aren't currently monitoring the vendor you want to assess, you can learn how to monitor them here.
Step 2: Select the vendor
If you're already monitoring them, you can find the vendor by clicking on the Vendors section under Vendor Risk in the sidebar, marked 1 in the screenshot below. Now that you've chosen your vendor, click on Risk Assessment in the side panel:
Step 3: Conduct an assessment
If you haven't assessed the vendor, you should see a screen similar to the screenshot shown above. Click either Conduct Assessment button to proceed.
Step 4: Gather and select evidence
The next step is to gather and select the evidence you wish to use as part of your risk assessment. There are a variety of ways to do this, you can:
Select Automated Scanning risks identified from domains and IP addresses
Send a security questionnaire (1)
Upload additional evidence (2)
Or request access to shared assets that the vendor has made available (3)
Step 5: Review the risks and request remediation
Based on the evidence selected, UpGuard will categorize and display the relevant risks for you to review and decide what action you will take for each.
This step also includes the ability to request remediation for any risks you believe the vendor can or should resolve. At the top of the Review Risk section, you can see a "Remediation Summary" which allows you to create or amend a remediation request linked to this risk assessment. Click the "Request remediation" button to select any risks you want to be remediated.
Once you've requested remediation, the status of the risks will be shown in the remediation summary. You can add or remove risks from the request, or click through to the request to view more details on its progress or correspond with the vendor.
You can still complete your assessment whilst remediation is in progress - the remediation summary will continue to update within the completed assessment until it is eventually closed.
Step 6: Write your commentary
Now that you've reviewed the risks, it's time to write up any corresponding notes that you wish to include in the add commentary section. This section may be used to document any risks you are intending to remediate or risk waivers that you are going to create for risks that have sufficient controls in place.
Step 7: Complete the assessment and define a reassessment date
Now that you've finished conducting your risk assessment, click on the Complete Assessment -> button in the bottom right corner, and define a date to reassess the vendor in the future.