There are many actions you can undertake within the UpGuard platform to help understand the level of risk associated with your vendors. UpGuard offers a complete vendor risk assessment framework, neatly packaged in a single workflow, which allows you to compile all your risk assessment activities and information, assess and comment on the level of risk a vendor poses to your organization, and save as a point-in-time assessment for future reference and comparison. In this article we will suggest a recommended approach for performing risk assessments to help you get the most out of this feature within the UpGuard platform.
Why use the risk assessment framework?
To ensure you have a complete picture of a vendor's risk profile you may need to combine information from different sources—including automated scanning, questionnaires, and additional evidence documents. If all these tasks are performed individually it can be difficult to keep track and compile this disparate information into a state that gives you an overall picture of the level of risk a vendor poses to your organization, and how this is changing over time. This is where risk assessments come in.
The risk assessment framework gives you a way to systematically work through all the steps required to perform a comprehensive vendor risk assessment. This includes the review of automated scanning results, questionnaire responses, and the remediation of any risks uncovered by these processes. This point-in-time view of a vendor's risk profile can be repeated at regular intervals to understand how risk changes over time.
The vendor summary page brings together all the evidence and activities together under the risk assessment framework. It helps you quickly determine the assessment state of the vendor, allowing you to manage your workflow and follow up on activities or schedule re-assessments as needed.
UpGuard’s Vendor Risk Assessment workflow is flexible enough to support different levels of assessment, from a quick review of automated scanning results to a full assessment including questionnaires and gathering additional evidence from the vendor. The following approach includes the full scope of a risk assessment. You might use this full scope for a Tier One vendor, who poses a meaningful risk to your organization due to the data they will be handling. For a lower criticality vendor, or when a previous risk assessment has been performed it may only be necessary to undertake a portion of the steps.
The risk assessment workflow comprises three main stages which are outlined below.
Stage 1: Gather and Select Evidence
This stage is about collecting all the information together in order to assess the risk level of a vendor. The amount of evidence required is likely to vary depending on the risk they pose to your organization, usually managed through Tiering your vendors, so you should decide upfront what you need based on this.
Send security questionnaires to help identify potential weaknesses among your vendors by gathering additional information that automated scanning cannot surface, such as information on security policies. Ensure you plan ahead to understand which questionnaires are appropriate or required for a particular vendor based on your relationship with that vendor, their Tier (criticality) and industry. Ensure you set a due date for that questionnaire to allow for sufficient time to review and follow up on any information provided in advance of the risk assessment being completed.
Attach any additional evidence regarding the security posture of the vendor. This could include information which is publically available, made available by the vendor through their UpGuard shared profile, or documentation you have gathered through discussions with the vendor. Some useful examples would be SOC 2 Type 2 audit reports, any other regulatory audit reports or previous security assessments.
Review the list of risks found in automated scanning in the risk profile. Review any waivers that are in place to ensure they are still applicable.
Stage 2: Review risks
If you have gathered all the evidence in stage 1 ahead of time, it will make it easier to move on to reviewing and assessing the risks. During this phase you should decide on which automated scanning and questionnaire risks you believe need to be remediated based on the nature of the risks, the evidence provided, and the criticality of this vendor.
You can request remediation on a risk or group of risks as part of this stage of the risk assessment workflow. Make sure you set a due date for remediation which is in-line with your assessment timelines, but also allows sufficient time to take appropriate actions to remediate the risks. Provide sufficient detail in your message to the recipient so they understand why you need this risk to be remediated.
You may also choose to waive a risk if the vendor has provided sufficient information about the controls they have in place, which can be done within the risk assessment by expanding out one of the risks.
Stage 3 Add commentary
Once you are satisfied that you have assessed all evidence and risks and compiled all the responses from your vendor, use the commentary section to summarize the results of your risk assessment. This assessment should take into account the Tier and level of risk that vendor poses to your organization, and include any key pieces of evidence or key risks, any follow-up actions you are recommending to improve the risk profile for this vendor, and any overall recommendations for dealing with this vendor.
Plan for re-assessment
For vendors you have an ongoing relationship with, set a re-assessment date, taking into account the level of risk this vendor poses to your organization, as well as your operating cadence for performing risk assessments.
Performing regular risk assessments using this framework should ensure you have a comprehensive and common understanding of your vendors’ security posture, a central place to find any information pertaining to their risk profile, and a clear picture of how this has changed over time.
For detailed info on how to perform risk assessments within the platform refer to How to complete a risk assessment.