Getting Started with Vendor Risk: Part 2

Set up vendor attributes, monitor and evaluate vendors

• Step 1: Set up vendor attributes 
• Step 2: Monitor vendors 
• Step 3: Gather evidence

This guide discusses functionality from across product tiers and may reference functionality not available on your account.

Step 1: Set up vendor attributes

If you already have a TPRM process — excellent! The fields below will help bring your process into UpGuard. If you don’t have a process yet — the below will help you get started. 

• Add and edit tiers. Tiers classify risk level a vendor poses to you. You’ll evaluate and prioritize vendors based on tiers. If you’re new, start by defining a few levels of risk (those will be your tiers).
• Create labels. Add labels (tags) that help identify the access level a vendor has (e.g. what data will they be able to see). 
• Create portfolios. Create a portfolio for each internal business unit that owns a vendor.
• Create custom attributes. Custom attributes are fields for tracking any non-standard data. Skip these for now, or use them to bring in data from other systems via an integration.  
• Edit the vendor relationship questionnaire (VRQ). You send the VRQ internally and you’ll use it to understand: 1) the level of data a vendor has (or will have) access to and 2) whatever you need to know to be able to tier the vendor. Tailor the form so that you get the answers you need.

Step 2: Monitor vendors

• List vendors you work with. You can monitor vendors individually, but if you list vendors in a .csv file you can add a tier, portfolio, label etc and then bulk import the list.
• Monitor vendors in UpGuard. Monitor vendors individually or in bulk. For each vendor, add a:
  • tier
  • label
  • portfolio
  • point of contact (this is the person at the vendor’s company who can help you get the information you need) 

Step 3: Gather evidence 

Starting with your most critical tier and working your way down: add evidence for each vendor. In tandem, you can begin remediating and waiving risks.

The goal here is to add the evidence you need to be able to determine if a vendor meets your security requirements and understand what risks there are (and if they need to be addressed).

• Add evidence from Shared With Me. The Shared With Me tab lists all of your vendors with existing trust pages (e.g. shareable security evidence). Request evidence from all vendors where it’s available.
• Add additional security documentation and evidence. Now, go back through and fill in the gaps. Example evidence to add: SOC II reports, pen tests. 

Up next: Getting Started with Vendor Risk: Part 3