Vendor Management

More information



This outlines a solution for vendor risk assessments. The overall solution consists of the following:

  • Software enabled through the use of ControlCase Vendor Manager (a feature within ControlCase GRC) tool
  • Implementation of the software
  • Vendor risk assessment content including SIG Lite from Shared Assessments program
  • IT Assessors (with CISA/CISM/CISSP certifications) that assist in evaluating responses from vendors/third parties from a risk assessment perspective

The following customer needs are addresses through the solution:

  • Ability to point the vendor to our SAAS portal and have them complete an online questionnaire.
  • Capability to collect evidence (policies, diagrams, etc.).
  • Capability to compel a vendor to answer every question or every required question.
  • Reminder feature with various escalation triggers.
  • Ability to start with up to 50 vendors in the short run and be able to scale up in future, as needed.
  • Ability to support a manual or automated uploading of current vendors into the tool.
  • Ability to start with SIG Lite and customize it based on type of vendor.
  • Ability to perform automated and assessor-driven risk ratings.




Step 1 : Register/Inventory vendors

The first step involves registering the vendors based on data provided to ControlCase:


Step 2 : Categorize vendors into categories

ControlCase will assist with the categorization of vendors by based on the following factors:

  • What type of data do they store, process or transmit (SSN, Card Numbers, and Customer Name etc.)
  • What business are they in (Call Center, Recoveries, Managed Service, Software Development, Printing, Hosting)
  • What risk factors exist based on Geography (North America, Asia/Pacific, South America etc.)

Step 3 : Create master checklist for exercise based on SIG Lite

ControlCase will work with customer to define the master checklist based on SIG Lite sections below:

  • Risk Management
  • Security Policy
  • Organizational Security
  • Organizational Security
  • Asset Management
  • HR Security
  • Physical and Environmental
  • Communications and Operations Management
  • Access Control
  • Information Systems Acquisition, Development and Maintenance
  • Incident, Event and Communications Management
  • Business Continuity Management/ Disaster Recovery
  • Compliance
  • Mobile
  • Privacy
  • Cloud
  • Additional Questions

Step 4 : Map controls to vendor categories

ControlCase will map controls from a master list to appropriate categories based on:

  • What is relevant to the type of data being stored, processed or transmitted (for e.g. if card data then PCI DSS may be relevant to check for vs. not).
  • What is relevant from a business perspective (e.g. call centers third parties have VOIP related controls whereas software development may not).
  • What is relevant from a geographical perspective (e.g. background checks in USA vs. India may be different and may require the testing of different controls).

Step 5 : Enable vendor risk assessment questionnaire within platform

After completion of steps 1 thru 4, ControlCase will then enable the vendor questionnaires within the platform


Step 6 : Distribute risk assessment questionnaire to vendors

ControlCase will then deploy the questionnaire to vendors.

Step 7 : Analyze responses and attachments

ControlCase personnel will then analyze responses/attachments as needed for appropriateness and validity. ControlCase will (as needed) contact the vendor to resubmit a subsection of responses.


Step 8 : Develop Risk Profile

Once the vendor has correctly uploaded or completed the assessment, ControlCase will analyze the results and prepare a risk profile for each respective vendor.

ControlCase will use various criterions as outlined below to determine the overall risk of each vendor. This will be developed based on the nature of each vendor, type of data and the quality of each vendor’s respective responses


About ControlCase Vendor Manager

The ControlCase Vendor Manager (CVM) solution enables organizations to manage an effective Vendor Management (VM) process including questionnaires, audit results, risk-based vendor selection, centralized document management and remediation management. ControlCase Vendor Manager is built atop the ControlCase GRC (CC-GRC) platform and also provides access to the core elements from the CC-GRC platform such as Workflow, Document Management, Controls Inventory, Fine-grained access control through a secure Web based interface.

Key Features
  • Automate monitoring of controls such as management of sensitive data and technical controls.
  • Enable vendor managers to manage risk.
  • Assess vendor risk using various assessment types and a library of questions based on best-practice standards.
  • Derive risk and compliance ratings by type of vendor from assessment results.
  • Measure vendor compliance to policies and procedures.
  • Track and address areas of non-compliance identified in the vendor assessment process.
  • Incorporated and licensed BITS Standardized Information Gathering (SIG) questionnaire and the Agreed upon Procedures (AUP).

What is Vendor Management?

Vendor risk graph

Vendor Management is the process corporation’s worldwide use to understand the risks they assume due to their business relationships with their third-party vendors especially regarding their data sharing or outsourcing relationships. Vendor Management is a standard practice today and has matured to an extent where some leading financial industry groups such as BITS have standardized the process significantly through their Standard Information Gathering (SIG) and Agreed upon Procedures (AUP) standards. The usage of these standards or their derivatives helps organizations understand the risk associated with their vendors and then incorporate appropriate risk mitigation techniques and measures to mitigate the risk.




The ControlCase Vendor Manager (CVM) can help organizations achieve the following:

    Through an online registration system, allow vendors to register automatically and keep track of all your vendors and related demographic information in one place.

    Helps you keep track of Vendors and keep all their risk (and other) related data in one repository

    Using your own risk model and CVM provided tools and framework, we can help you develop your own risk analysis capabilities and using the data related to the vendors be able to generate the risks related to each vendor. Additionally dashboard charts and graphs can summarize this information for easy assimilation.

    Monitor Vendor Compliance Controls Automate most aspects of the policy management and compliance process and through the use of automated reminders and “action items” ensure that your vendors are following your policies and procedures and adhering to your controls.

    Any issues or “action items” that are either automatically detected or manually found in the vendor risk management process can be tracked and remediated through our comprehensive and feature-rich remediation module. Items can be assigned to individuals or groups, approved by their managers, fixed and closed all through our interface. This functionality is similar to a “help desk” software and just as easy to use. You can add attachments to tickets, track their status, assign to users etc. and take full advantage of the powerful workflow features to configure the solution to your needs. E.g. if SSN data is found on Vendor systems through the automated scan, once an exception is verified, it can be assigned to the vendor to correct. Once corrected, they can upload the evidence demonstrating the correction and keep all this information at one place to demonstrate the state of compliance over time.
    Vendor Compliance Issues