Vendor

Vendors — A Vendor has multiple Vendor Solutions which in turn can have Vendor Reviews

• Create a Vendor — The User can create a new Vendor in the Platform. A Vendor has multiple Vendor Solutions which in turn can have Vendor Reviews.

Vendor Solutions — A Vendor’s product, service, or other offering that warrants periodic security reviews

• Create a Vendor Solution for a Vendor — The User can create a new Vendor Solution in the Platform. A Vendor Solution may optionally be Attached to a Vendor. Each Solution in turn can have Vendor Reviews.
• Create a Vendor Solution without a Vendor — The User can create a new Vendor Solution in the Platform. A Vendor Solution doesn’t need to be attached to a Vendor.

Perform a Vendor Review — Evaluate the overall security of a Vendor Solution by assessing a set of Vendor Controls based on available documents and public records.

• Set a Vendor Review Rating — A User may set an overall risk Rating for a Vendor Review. Possible Ratings are: High, Medium-High, Medium, Low-Medium, Low This rating should be based on the number of Controls that are In Place / Audited. More Controls In Place / Audited = Lower Risk Rating Fewer Controls In Place / Audited = Higher Risk Rating
• Evaluate Controls for a Vendor Review — A Vendor Review primarily consists of Control Categories with Sub-Controls that can be marked as ‘Not in Place / In Place’ and ‘Not Audited / Audited’. Not In Place / In Place - A Control Category or Sub-Control may be marked as ‘In Place’ if there is some evidence that the controls are being implemented Not Audited / Audited - A Control Category or Sub-Control may be marked as ‘Audited’ if there is concrete evidence that the controls are being implemented, usually found in an audit document.
• Generate a Summary for a Vendor Review — Once the Controls have been evaluated and a Rating set for a Vendor Review, the User may generate and update the Summary text. Summary Text may be auto-generated, which fills in the Date and Rating values. Summary Text may also be manually inputted.
• Upload documents for a Vendor Review
• Applying a Pre-Qualified Certification to a Vendor Review — Once Pre-Qualified Certifications are set up, they may be applied to a Vendor Review. This action will automatically set the “Audited” status for corresponding Vendor Controls.
• Finalize a Vendor Review

Vendor Controls

• Create a Vendor Control Category Template — The User can create a new Vendor Control Category Template in the Platform. A Vendor Control Category Template consists of multiple Sub Controls. When starting a Vendor Review, all Control Category Templates are copied into the fresh Vendor Review. When updated, a Control Category Template will NOT automatically update the Control Categories in existing Vendor Reviews
• Create a Vendor Sub-Control — The User can create a new Sub-Control attached to a Vendor Control Category Template. A Vendor Control Category Template consists of multiple Sub Controls. When starting a Vendor Review, all Control Category Templates and corresponding Sub-Controls are copied into the fresh Vendor Review. Updated a Control Category Template Sub-Control will NOT automatically update the Control Categories in existing Vendor Reviews

Pre-Qualified Certifications

• Create a Pre-Qualified Certification — Pre-Qualified Certifications may be used to streamline Vendor Reviews. If a Vendor Solution already has a relevant document such as a current PCI Certification or SSAE18 Certification, the Reviewer may assume that certain security controls have already been audited. After setting up Pre-Qualified Certifications, they may be applied to a Vendor Review via the ‘Relevant Documents’ tab and the corresponding Controls will be automatically updated for that Vendor Review.
• Add/Remove Sub Controls from a Pre-Qualified Certification — A User can add or remove any of the Sub Controls in a Pre-Qualified Certification.