Use AI-powered Security Profile and Instant Risk Assessments you to quickly and accurately assess your vendors. This feature is currently available to limited Beta group.
The AI-powered Security Profile and Instant Risk Assessments in Vendor Risk allows you to use the power of AI to improve and speed up the process of assessing your vendors in UpGuard Vendor Risk.
This feature allows you to:
- Select and load any evidence you have for a vendor, including questionnaires &, additional evidence and use AI to scan evidence and identify risks and gaps and determine compliance with controls
- Review the vendor’s security profile to determine level of compliance, and identify any risks and gaps
- Seek further evidence from the vendor to address gaps or risks
- Use AI to instantly generate risk assessment report commentary based on your evidence and findings
- Publish a point-in-time risk assessment report including control compliance, gaps and risks and contextual commentary by risk domain
The following outlines these steps.
Monitor the vendor
Before you can view a vendor’s Security Profile, you need to be monitoring the vendor. If you aren't currently monitoring the vendor you want to assess, you can learn how to monitor them here.
Select the vendor
If you're already monitoring them, you can find the vendor by clicking on the selected vendor in the Vendors list under Vendor Risk in the sidebar. Once you have chosen the vendor, click on the vendor or select Security Profile in the side panel:
Viewing the security profile
The security profile gives you an overall snapshot of your vendors security posture. It consists of 81 security controls in 7 key domains: Security policies and processes, Asset management, Infrastructure Management, Data Protection, Application security, Risk Management and Operational resilience. It is designed to encompass security controls covered by key security frameworks and standards, and is structured by domain, control family, controls and checks to help you clearly pinpoint areas of strength and weakness for your vendors.
The checks in the security profile cover both risks and passed checks discovered through automated scanning, as well as those identified through review of security questionnaire responses and security documentation.
Control view
You can click on a control to view details and status for a particular control. The follow describes the control status based on review of available evidence:
- Control met - all checks for a given control are met
- Control partially met - some checks for a given control are met, and some require further evidence
- Risks detected- at least one risk was identified for a given control
- Evidence required - there is no evidence to inform status of a given control
Other details included in the control view include the control objective and a list of checks associated with that control and any risks identified. You can choose to mark a control as N/A if this control is not relevant for a given vendor or engagement. Controls marked as N/A will not contribute to your score or % compliance
Check view
You can click on an individual check to view the status, risk details (where risks have been detected), and the citations found in the evidence to determine the check status. In reviewing the Citations you can choose to ignore the citation or document if you don’t agree with the finding.
Summary
You can see a summarised view of your security profile, showing the % controls met and number of controls in each category.
The summary also shows you the status of security evidence requests and risk assessment.
Viewing and assessing evidence
You can see the list of available evidence sources in the Evidence section. This will be a combination of questionnaires you have sourced or sent for a given vendor, additional evidence documents you have uploaded, public documents UpGuard has sourced and documents and questionnaires shared by a vendor on their Trust Page. You can upload and select evidence, which will initiate a scan of the document or questionnaire to determine status of controls and checks. Where a match is found, the citation will be added to the check, and the status changed to passed check or risk detected.
To do so, select Add evidence from the action button, or select the Settings icon on the Evidence Section.
You can then select or upload your sources of evidence, and Run analysis to initiate the AI scan.
This may take up to 10 minutes depending on the size and number of documents you are scanning, but this will continue to run if you navigate away from the page.
Once your scan is complete you can review your security profile, examining the results on the Controls and Checks. You can choose to exclude controls and control families not relevant to the vendor by selecting the Settings icon in the Controls section to manage controls.
Requesting evidence
Once you have uploaded and scanned all your available evidence, you may still have gaps in your security profile and need to seek input from the vendor to address. You can do that from the security profile by selecting request evidence from the Actions menu.
This will trigger a questionnaire to be sent to the nominated vendor recipient to address the gaps in the security profile. The questionnaire will be prefilled with matches already found by the document scan in the Security profile, and will exclude any controls you have marked as not relevant, making it quicker and easier for vendors to respond. To learn more about Security Questionnaires in Vendor risk see What is a security questionnaire.
You can track the status of your evidence request in the Summary area. Once a vendor has responded to your questionnaire, you will receive a notification, and will see status change to In progress. You can then review responses in the questionnaire itself or against the checks in the Security profile.
Generating an Instant Risk Assessment
Once you are satisfied that you have enough information to assess the vendor, you can Generate a risk assessment from the Actions button.
When you do this for the first time, this will kick-off the AI report generation, which will generate report commentary, This usually takes less than 1 minute and generates an executive summary, vendor background, and summary of each of the 7 security domains based on the evidence you included and your vendor’s risk profile. You can review and edit the commentary, or re-generate at any time if you add or remove evidence or change control status.
You can also highlight key risks by selecting the tick next to each risk. Only key risks will be listed in the published (PDF) report.
Publishing a risk assessment Report and scheduling a re-assessment
Once you are happy with your commentary and assessment you can choose to publish your assessment and set a re-assessment date. This will save a point-in-time view of your risk assessment, and allow you to generate a PDF report which can be shared with others in your organization.
To generate a report select Security profile risk assessment report from the Generate report menu.
You can then access and share your report from the Generated reports section. Your generated report will summarise the findings of your Security profile risk management and assessment.
