Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Vendor Risk Guide 2: Vendor Set Up and Monitoring

Set up vendor attributes, monitor and evaluate vendors

This guide discusses functionality from across product tiers and may reference functionality not available on your account.

Step 1: Set up vendor attributes

If you already have a TPRM process — excellent! The fields below will help bring your process into UpGuard. If you don’t have a process yet — the below will help you get started. 

  • Add and edit tiers. Tiers classify the level of risk a vendor poses to you. You’ll evaluate and prioritize vendors based on tiers. If you’re new to TPRM, start by defining what your tiers will be.
  • Create labels. Add labels (tags) that help identify the access level a vendor has (e.g. what data will they be able to see). 
  • Create portfolios. Create a portfolio for each internal business unit that owns a vendor.
  • Create custom attributes. Custom attributes are fields for tracking any non-standard data. Skip these for now, or use them to bring in data from other systems via an integration.  
  • Edit the vendor relationship questionnaire (VRQ). You send the VRQ internally and you’ll use it to understand: 1) the level of data a vendor has (or will have) access to and 2) if the vendor will have to abide by specific frameworks (e.g. HIPPA), 3) whatever you need to know to be able to tier the vendor Tailor the form so that you get the answers you need.

Step 2: Monitor vendors

  • List vendors you work with. You can monitor vendors individually, but if you list vendors in a .csv file you can add a tier, portfolio, label etc and then bulk import the list.
  • Monitor vendors in UpGuard. Monitor vendors individually or in bulk. For each vendor, add a:
    • tier
    • label
    • portfolio
    • point of contact (this is the person at the vendor’s company who can help you get the information you need) 

Step 3: Gather evidence 

Starting with your most critical tier and working your way down: add evidence for each vendor. In tandem, you can begin remediating and waiving risks.

The goal here is to add the evidence you need to be able to determine if a vendor meets your security requirements and understand what risks there are (and if they need to be addressed).

  • Add evidence from Shared With Me. The Shared With Me tab lists all of your vendors with existing trust pages (e.g. shareable security evidence). Request evidence from all vendors where it’s available.
  • Check if UpGuard has preloaded evidence for the vendor. We’ve uploaded evidence for 200+ of our customers most popular vendors. Go to Vendor>Additional evidence to see if we’re already added evidence. 
  • Add additional security documentation and evidence. Now, go back through and fill in the gaps. Example evidence to add: SOC II reports, pen tests. 

Up next: Getting Started with Vendor Risk: Part 3