This outlines a solution for vendor risk assessments. The overall solution consists of the following:
Software enabled through the use of ControlCase Vendor Manager (a feature within ControlCase GRC) tool
Implementation of the software
Vendor risk assessment content including SIG Lite from Shared Assessments program
IT Assessors (with CISA/CISM/CISSP certifications) that assist in evaluating responses from vendors/third parties from a risk assessment perspective
The following customer needs are addresses through the solution:
Ability to point the vendor to our SAAS portal and have them complete an online questionnaire.
Capability to collect evidence (policies, diagrams, etc.).
Capability to compel a vendor to answer every question or every required question.
Reminder feature with various escalation triggers.
Ability to start with up to 50 vendors in the short run and be able to scale up in future, as needed.
Ability to support a manual or automated uploading of current vendors into the tool.
Ability to start with SIG Lite and customize it based on type of vendor.
Ability to perform automated and assessor-driven risk ratings.
Step 1 : Register/Inventory vendors
The first step involves registering the vendors based on data provided to ControlCase:
Step 2 : Categorize vendors into categories
ControlCase will assist with the categorization of vendors by based on the following factors:
What type of data do they store, process or transmit (SSN, Card Numbers, and Customer Name etc.)
What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing, Hosting)
What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.)
Step 3 : Create master checklist for exercise based on SIG Lite
ControlCase will work with customer to define the master checklist based on SIG Lite sections below:
Physical and Environmental
Communications and Operations Management
Information Systems Acquisition, Development and Maintenance
Incident, Event and Communications Management
Business Continuity Management/ Disaster Recovery
Step 4 : Map controls to vendor categories
ControlCase will map controls from a master list to appropriate categories based on:
What is relevant to the type of data being stored, processed or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not).
What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not).
What is relevant from a geographical perspective (e.g. background checks in USA vs. India may be different and may require the testing of different controls).
Step 5 : Enable vendor risk assessment questionnaire within platform
After completion of steps 1 thru 4, ControlCase will then enable the vendor questionnaires within the platform
Step 6 : Distribute risk assessment questionnaire to vendors
ControlCase will then deploy the questionnaire to vendors.
Step 7 : Analyze responses and attachments
ControlCase personnel will then analyze responses/attachments as needed for appropriateness and validity. ControlCase will (as needed) contact the vendor to resubmit a subsection of responses.
Step 8 : Develop Risk Profile
Once the vendor has correctly uploaded or completed the assessment, ControlCase will analyze the results and prepare a risk profile for each respective vendor.
ControlCase will use various criterions as outlined below to determine the overall risk of each vendor. This will be developed based on the nature of each vendor, type of data and the quality of each vendor’s respective responses
About ControlCase Vendor Manager
The ControlCase Vendor Manager (CVM) solution enables organizations to manage an effective Vendor Management (VM) process including questionnaires, audit results, risk-based vendor selection, centralized document management and remediation management. ControlCase Vendor Manager is built atop the ControlCase GRC (CC-GRC) platform and also provides access to the core elements from the CC-GRC platform such as Workflow, Document Management, Controls Inventory, Fine-grained access control through a secure Web based interface.
What is Vendor Management?
Vendor Management is the process corporation’s worldwide use to understand the risks they assume due to their business relationships with their third-party vendors especially regarding their data sharing or outsourcing relationships. Vendor Management is a standard practice today and has matured to an extent where some leading financial industry groups such as BITS have standardized the process significantly through their Standard Information Gathering (SIG) and Agreed upon Procedures (AUP) standards. The usage of these standards or their derivatives helps organizations understand the risk associated with their vendors and then incorporate appropriate risk mitigation techniques and measures to mitigate the risk.
The ControlCase Vendor Manager (CVM) can help organizations achieve the following:
CENTRALIZE VENDOR INVENTORY AND INFORMATIONThrough an online registration system, allow vendors to register automatically and keep track of all your vendors and related demographic information in one place.
CENTRALIZE VENDOR COMPLIANCE DATA
Helps you keep track of Vendors and keep all their risk (and other) related data in one repository
ASSESS VENDOR RISK
Using your own risk model and CVM provided tools and framework, we can help you develop your own risk analysis capabilities and using the data related to the vendors be able to generate the risks related to each vendor. Additionally dashboard charts and graphs can summarize this information for easy assimilation.
MONITOR VENDOR COMPLIANCE WITH YOUR POLICIES AND CONTROLS THROUGH ONLINE QUESTIONNAIRES
Automate most aspects of the policy management and compliance process and through the use of automated reminders and “action items” ensure that your vendors are following your policies and procedures and adhering to your controls.
TRACK VENDOR COMPLIANCE ISSUESAny issues or “action items” that are either automatically detected or manually found in the vendor risk management process can be tracked and remediated through our comprehensive and feature-rich remediation module. Items can be assigned to individuals or groups, approved by their managers, fixed and closed all through our interface. This functionality is similar to a “help desk” software and just as easy to use. You can add attachments to tickets, track their status, assign to users etc. and take full advantage of the powerful workflow features to configure the solution to your needs. E.g. if SSN data is found on Vendor systems through the automated scan, once an exception is verified, it can be assigned to the vendor to correct. Once corrected, they can upload the evidence demonstrating the correction and keep all this information at one place to demonstrate the state of compliance over time.