Evaluate vendors, address risks, and run assessments
- Step 1: Refine security profile controls
- Step 2: Send a gap questionnaire
- Step 3: Address Risks
- Step 4: Evaluate & run assessments
This guide discusses functionality from across product tiers and may reference functionality not available on your account.
Step 1: Refine security profile controls
UpGuard’s Security Profile has a predefined list of controls mapped to ISO and NIST standards. Read through the list and remove any controls that your business does not need to assess against.
Have a mature TPRM process or are using a framework other than NIST/ISO? Skip to Step 4 for a suggested workflow.
Level-up: when you’re ready to scale, create a matrix mapping controls to tiers. Refer to your matrix whenever you're refining controls to standardize your processes.
Step 2: Send a gap questionnaire
Even after adding evidence, you might be missing some information you need. Send a gap questionnaire to get that data. The goal is to get you the complete picture, everything you need to be able to evaluate the vendor.
Step 3: Address Risks
As you add evidence, UpGuard begins showing risks so that you can take action. Start with vendors in your most critical tier and work through each risk. For each risk, take one of two actions:
- Request remediation when there’s a risk that you need the vendor to address. Added benefit? Requesting remediation creates an audit trail showing that you: are aware of a risk, flagged it to the vendor, and wanted it fixed.
- Waive risks when you don’t need a risk addressed or if it’s not actually a risk to you.
Tip: If a vendor has multiple open risks that need to be addressed, you can request remediation in bulk.
Step 4: Evaluate & run assessments
You've been evaluating vendors as you go, but once you've finished adding evidence and sending questionnaires you can do a more formal evaluation and assessment. As always, start with vendors in your most critical tier and work your way down.
- New to TPRM: use security profile to get an (almost) instant understanding of potential risks and run an assessment.
- Using NIST or ISO frameworks: use security profile to compare vendors to NIST and ISO controls and then run an assessment.
- Have a mature TPRM process or using a framework other than NIST/ISO: Compare security profile controls with your own standards, remove any standards that aren’t applicable, and then send a questionnaire that gathers the additional data you need. Use security profile to run the initial assessment and then edit it to add in any details not captured by the default controls. Alternatively, you can run a classic assessment by uploading evidence and writing the full assessment from scratch.