Vendors

What is it?

Vendors are various companies from whom you have purchased software or services that you use to run your business.

For example, Microsoft, Salesforce, and Okta are vendors. One vendor can provide you with many Systems. For example, Microsoft is a vendor, and it provides you with many systems like Azure AD, Confluence, Office 365, etc.

Your Vendors page helps you conduct vendor risk assessments, manage your existing vendor relationships, and consolidate any potential documents that you were keeping elsewhere.

Third Party Risk Management (TPRA) or Vendor Risk Assessments

Note: This is currently available as an open beta. Contact us to get started.

Third-party risk assessments (TPRA) provide insights into the potential risks posed by your vendors. Comprehensive evaluations shed light on how your vendors handle your data and the associated threats. Undertaking these assessments is not only mandated by numerous standards but is also crucial in minimizing business disruptions by proactively addressing third-party risks.
In general, Third party assessments can be broken down into 4 steps: 

Adding Vendors

Your vendor list is populated automatically after you add all of your systems to your system’s register. Based on your different system classifications, TrustCloud defaults to the data classifications on your Vendors page.

A step-by-step guide to adding a vendor

1. To add more vendors to your register, click on the “+ New Vendor” button on the top right-hand side of the page.
2. Select a vendor from the “Frequently Added Vendors” list, or you can search for vendor name in the search bar.
3. Click on the “+ Add” button in front of the vendor name.
   The following screenshot shows the list of vendors to add.
4. Enter Vendor Name, Vendor Website, Data Classification, Group, Vendor Owner, Vendor Tier, Assessment Owner, and select whether the vendor is a subprocessor.
   The following screenshot shows the vendor details page for adding a new vendor.
   
   

My Vendors

The Vendors page in TrustCloud allows you to view your vendors using different filters, search options, and views. You are quickly able to identify who the vendor is, what group or department they belong to, what tier they are a part of, the most recent ones, the risk rating, the status of the most recent risk assessment, whether the vendor is active or disabled, as well as who the account owner is.

Vendor Details

Clicking on a row in the vendor table showcases key details for each vendor. You will be able to view relevant metadata about the vendor, such as what recent assessments were performed, documents connected, and systems connected, as well as enter relevant vendor contact information.

Assessments

Regular Risk assessments should be performed on each vendor based on business criticality, vendor tier, compliance requirements, etc. To begin a new assessment, click on the ‘New Assessment’ button and enter the details of the vendor contact responsible for filling out the responses. Make sure you have completed all the steps in the ‘Getting Started’ section before conducting your first assessment.

What Does the Vendor Need to Fill Out?

Each vendor, based on how you have configured the vendor tier, receives an email containing a security questionnaire, a list of documents they need to provide (SOC 2 report, pen test report, etc.), as well as details on where to submit the responses. Once each vendor has completed and returned the forms, navigate back to the open assessment and upload these retuned forms so records can be maintained in one place. Contact us if you are interested in exploring ways to automate this via an API.

Completing an Assessment

Once you have received responses from a vendor, navigate to the open assessment under each vendor’s page and begin filling out the evaluation form. The following details will be captured during this process:

1. Vendor Overview and contact information for the person assessing the vendors responses
2. Business Information about the vendor, including name, HQ location, terms of service, etc.
3. Risk Surface Details, including whether this vendor is processing PII or PHI, etc.
4. Compliance reports and certifications the vendor may adhere to
5. Documents and policies that the vendor provided
6. A final summary and assessment where you will document the final risk rating as well as note any gaps or comments. This action will close the assessment and showcase the relevant risk rating on the dashboard and vendor details pages

Edit Vendor

To edit vendor details,

1. Click on the three-dot icon in the right corner.
2. From the drop-down menu, click on “Edit Details.”

On this details page, you can add or edit:

1. Vendor Name
2. Vendor Tier
3. A vendor’s website
4. Group
5. Data Classification
6. Is a subprocessor
7. A location
8. Certifications
9. A description of the purpose
10. Link to the vendor’s terms of service
11. Link to the vendor’s privacy policy
12. Link to the vendor’s security page

Additionally, you can add tags to each vendor, add documents or links, and add vendor contact information.

The systems that the specific vendor is mapped to are listed under the ‘Systems’ section. If you believe something is missing, double-check that all of the relevant systems have been added.

Disabling Vendors

Disabling a vendor denotes that you don’t use this vendor anymore. A disabled vendor still exists in your archive and is not deleted permanently.

A step-by-step guide to disabling a vendor

1. Click on the three-dot icon in the right corner.
2. From the drop-down menu, click on the “Disable Vendor” button.
3. Enter a reason for disabling the vendor and mark the checklist of compliance requirements for disabling a vendor.
4. Click on the “Disable” button.
5. The dialogue box opens; fill in the “Reason for disabling” and “I acknowledge that” fields.
6. Click on the “Disable” button.
   The following screenshot shows the disabling vendor functionality.
   
   
7. To view disabled vendors,
   1. Select the filters on the main vendor page and check the ‘Disabled’ box.

Assessment Templates

TrustCloud supports the creation of programmatic vendor assessment templates that connect to your existing common control framework, making evaluation and submission easier. The option to bring your own questionnaire also exists, should you want to use your existing documentation.

From the left-hand side menu, go to “Vendors” and click on “Assessment Templates.”

The following screenshot shows the list of all assessment templates.

1. Click on the “+ New Template” button. The following dialogue box is displayed:
   

Building a Programmatic Assessment Template in TrustCloud 

Add a new assessment template by clicking “+ New Template” in the top right corner. From here, you can follow the prompts to easily create questionnaires that map directly to the controls you want to test your vendor against. By mapping your assessment to your controls, you enable programmatic risk calculations, gap analysis, and auto-fill vendor responses.

Uploading Custom Assessment Templates

Upload your organization’s existing assessment templates or vendor questionnaires directly to the Assessment templates portal to streamline your vendor assessment process. 

1. Enter “TemplateName”.
2. Upload the template file.
3. Click on “Add Template” button.

The following screenshot shows the “Upload Your Own Template” dialogue box.

Editing, Downloading or Deleting an Existing Template

You can edit, download, or delete an existing template by navigating to the three dots in the top right corner of an existing template. Please note that any changes made to a template will impact new assessments only.

Once your assessment template is uploaded, you can see it in the Assessment Templates module and link it to a vendor tier. 

Settings and Vendor Tiers

Evaluation tiers streamline your process by enabling workflow customization according to each vendor’s risk level. With tiers, you can define the business information required, the specific type of assessment to send, and the necessary data to collect. After establishing your vendor tiers in TrustCloud, the platform automates your workflow based on each vendor’s designated tier—ensuring a consistent, hassle-free assessment process every time. We recommend customizing your tiers before you send assessments. 

Creating a New Tier

1. From the left-hand side menu, select “Settings”
2. Click on the “+ New Tier” button in the top right and follow the prompts to create your evaluation tier. 
   1. Name your tier and click on “Create Tier”
   2. Set the parameters that define which vendors fall into this tier
      1. What is the impact if vendors in this tier fail?
      2. What is the maximum level of risk tolerance for vendors in this tier?
      3. How critical are vendors in this tier to business operations?
      4. What kind of data do vendors in this tier typically store and/or process?
      5. How frequently should vendors in this tier be assessed?
         
3. Go to “Business Information” tab to determine what business information you would like to mark as required or optional.
   
   
4. Go to “Risk Surface” tab to set your risk surface like shown in following screenshot.
   
   
5. Go to “Compliance” tab, to determine if you will require reports, if so select which you will require.
   
   
6. Go to “Documents” tab to identify which documents you will require.
   
   
7. Go to “Security & Privacy” tab to select the additional questions you need vendors in this tier to answer.
   
   

Once you have customized and saved your Evaluation Tier, you can begin assigning tiers to your new and existing vendors. 

Editing or Deleting an Existing Tier

You can always edit tiers by selecting the pencil icon located on the right of each Assessment Tier module. You can delete tiers using the trash icon. If you delete or edit a tier, this will automatically be mapped to your associated vendors however changes to required docs will only impact new assessments.