Vendor Risk Management

Speaker 1 (00:11):

Welcome to Privva. What you see here is your main dashboard. The dashboard helps you navigate around the platform to really figure out where you should spend your time when you log into the system. Really think about this as a main homepage and track everything through the lifecycle. What you see here is 50 assessments for review, that means 50 vendor assessments have been submitted and are ready for your review. Again, you can look at everything through the lifecycle.

(00:37):

Issues, is the ticketing system to help you track all risks and vulnerabilities throughout the system. When a ticket is sent back and forth to you and your supplier, the responses will be tracked here and now it shows four remediation tickets or issues are ready for your review. Again, you can track that throughout that process. Assessment status, again, allows you to send out questionnaires via the platform, and you can see when they've been sent out, you can see when the vendor started and logged in. And if you click it in process, it actually shows you in real time what percent the vendor is completed so that you can prepare from a resource perspective to review that assessment. Again, you could look at it from submitted, expired and reviewed.

(01:18):

What we have here on the right side is your issue ranking matrix. When you upload your vendors to the platform, you now have the ability to categorize them by risk tier. Tier one's going to be your mission critical vendors, tier two high, medium, and low. We also allow you to upload vendors if you haven't figured out which tier or what category risk they should fall in. Again, as we complete that security assessment questionnaire, we'll go through and as we identify risks and vulnerabilities, we can flag them by a level of severity. Informational only means we have not determined whether it's a risk yet low, medium, high, and critical. And using this matrix, we can now say, I want to look at my tier one mission critical vendors by the critical findings. And if I click on the 29, it directly takes me to the page for all those remediation or vulnerabilities that have been identified for your tier one vendors that are critical in nature. So in theory, quickly, easily be able to get to a page that shows you the top risk across your third party vendor ecosystem.

(02:17):

So, that's the dashboard. Now let's start talking about the homepage and go through the workflow. Under managed organization we do allow you to upload multiple stakeholders within your organization. We have various different rights and access management controls. And from here, we now can give access. Just from a housekeeping perspective, we do have two factor authentication, as well as single sign on for your users. Second, what we want to do is we want to talk about labels. When you upload your vendors to the platform, we do have the ability to meta tag all your data on the system. So when you upload your vendors, you can classify them by different categories. And again, you can create this. Couple examples I highlight here are client data versus employee data. Is this a vendor that's supporting the finance department versus HR? Is it a vendor that has privacy or is sub-processor from a privacy perspective?

(03:09):

So again, allowing you to track and then ultimately run reports based off of these data fields. So once we go through now, let's start the process of executing. We do allow you to create any custom questionnaire. So if you do have your own questionnaire, you can use that. But one of the benefits of using Privva is that we have a pre-built library of standard questionnaires, which will help make the process significantly easier for you and your vendors. This template has multiple different questionnaires from a risk perspective, such as anti-bribery, anti-corruption, CIS top 20 critical controls, DEI, ISO based frameworks, NIST based frameworks. And what we like to use most is the Shared Assessment SIG. This is updated every single year as the Shared Assessments team announces it. And that is coming out with a new version, will be coming out in about November of 2022 for the 2023 year.

(04:05):

So the goal here is that we do not want our clients to start with a blank slate. We have lots of content, security related, privacy related, anti-bribery related as well as privacy related. So once you build out your questionnaire, we can then go to the next step, which is uploading your vendors to the system. Go to the vendor page and in order to get started, all we need is the name of a vendor, the point of contact, their name, as well as their email address. If you do have multiple different stakeholders, we can also upload them to the system as well. From here, we can also classify them by that category of risk. Very easy to set up a vendor and get started on Privva.

(04:44):

The next thing I want to dive into is looking at the profile of a vendor. I'm going to click on Amazon here. Amazon, if you have as a vendor, but you're using a product underneath, you can also upload a profile for that particular product. So we do have that parent-child relationship built into the system. You also have the ability to look at that risk here. You'll also be able to look at setting up reassessment dates. So as you're doing security assessments on an annual basis, the system will automatically remind you when one is up for renewal. We also have that category, those labels that I talked about. So here you have the ability to upload and track and manage those data fields. We also allow you to upload and customize this page here, which data fields or elements do you want to track across your entire vendor ecosystem?

(05:31):

So, couple examples here are, does this firm have access to PII? Do they have MFA, multifactor authentication enabled? What type of vendor is it? Type one, type two? And these are all fields, like I said, that we can also build and tailor to your specific organization. So just a great way that you can use Privva as a central repository to manage and really save various demographic data points across your profile. From here we also, and we'll come back to this, you have the ability to look at the risk profile of a vendor. You also have the ability to upload documentation. Things like contracts, NDAs, certification documents, like a SOP2 or an ISO framework. You can also set reminders on Privva so if a contract's expiring and you want to be notified 15 days before that expiration date, we'll send you an automated reminder as well.

(06:24):

So Privva not only is used for sending out assessments, but can also be a document management system or repository for your contracts as well as NDAs. From here once we've set up our questionnaire, we've set up our vendors, we're ready to start the process of sending out questionnaires to our third party vendors. So we'll click on projects. And what we'll do here is we'll click on new project and we'll just send this out as demo assessment. So the projects are really a way to help you classify and categorize. Think about it as a folder, all the vendors that may be of similar relevance. From here, I'll select the questionnaire that I want to send out. And here, we also have the ability to add the vendors. Couple things here that I want to highlight. We can select one vendor and send it to a single vendor at any given time. We also have this capability by sending a bulk assessment base off of that data label.

(07:17):

Again, we talked about categorizing and tagging your data. So let's say I want to send this out to all the vendors that have client data. I simply select that label that we selected and it'll pull out all the vendors that we've tagged accordingly. We set a launch date, and we generally like to give the vendors about a month to fill it out. So from here, we'll save that. And now we are ready to go. So at 09:30 Eastern time, this morning, everything will get sent out automatically. But if we want to send it out now, all we simply do is hit launch project early, and it is now kicked off. At this point you now see all the vendors have been invited to the platform. Again, Privva is a web-based platform to manage your security assessment questionnaires and the value proposition there is, it gives you a lot of reporting. It gives you a lot of transparency, visibility into where things stand and then ultimately acts as a risk register.

(08:08):

So what we're going to do now is we're going to flip over to the vendor side, just so you can see how it's easy for them as well. Once the vendor receives an email to access the platform, they will be able to log in and complete that questionnaire. We talked about being able to create your own custom questionnaires on Privva earlier. That's really great, but the key value of using a standard template on the system is that many of your vendors may have answered questionnaires on Privva before. And if they have, if there's an overlap from a previous response that they've done on Privva, all they simply do is hit auto populate the responses. And from here, it'll take the questionnaire that you sent and it'll populate it with any attachments or supporting evidence that they provided as well as any commentary that you've associated with that questionnaire. So again, the relationship between you and your suppliers needs to be strong, using a standard questionnaire like the SIG really helps streamline that process back and forth if they've been on Privva.

(09:12):

So at this point, when they submit the questionnaire, it will lock on their side. So now, from a version control perspective, we want to make sure they can't make any more changes. So let's go back to your field here. So now we talked about, we sent this questionnaire out, it went to an invited state. The beauty of Privva is the automation that happens now. Immediately, when we set up your questionnaire, we have the ability to preset weights and how the scoring methodology is going to occur. We also have the ability to identify if a risk is created, can we automatically create our remediation ticket? So instantaneously, if I just hit refresh here, that vendor went from invited to submitted, and you see that there's an 84 score here. That means it's a preliminary score because we haven't actually done the review.

(09:59):

So we jump into the product here and we look at the score sheet. Everything scored from a question by question basis for all your binary or multiple choice questions. So we do have that automation built-in. It's going to save you a lot of time. From here if I hit this needs review button, what that's going to do is it's just going to filter out the questions where there was an attachment, so supporting evidence or a comment. So what we did is the automation scored based off of that yes/no response, but what Privva did is it flagged these and said, there's a little bit more information that we need to review prior to finalizing that score. Again, the SIG LITE, as an example, can be a 100, 200, 300 questions. So we want to help you get to the place where you should spend your time.

(10:43):

I can also score and filter by categories of score. So if I select very high risk, again, it's going to filter just those responses. We want to make sure you're efficient when you're doing your review. And again, we want to make sure you're spending your time in the best way possible. But what I want to highlight here is Privva automatically created remediation tickets as well. So what the system did was it recognized that the supplier said they don't have a pen test, they haven't met training requirements, they don't do background checks and they don't have a documented business continuity procedure. So what we did is when we set up your questionnaire, and these are things that are already built into the Shared Assessment SIG, it says that if the vendor says I don't do background checks, meaning a negative answer, or non-compliant answer to your policies, what we did is we automatically created a ticket that we could send back to the supplier that says background checks weren't met. And in order to work with our firm, you need to do background checks that include references, employment, eligibility, education, and criminal background.

(11:42):

So what we did here is now these were automatically created and with a push of a button, we just simply hit create and sent. And if we look at our issue section here on this page, you now see that they've been sent out to the supplier and it is easy to track. So really easy, really fast, again, trying to make you very efficient. So now what we have is an 84 preliminary rating. We have four remediation tickets, but now let's go back to that needs review section. So let's see that in question 1.1, the supplier said, yes, they do have an information security policy. They uploaded a document, but let's say that the policy didn't necessarily meet our needs. What we can do is we can put an internal note. So, policy did not meet requirements. We have an internal note. This is not seen by the supplier.

(12:33):

And what we'll do is for our purposes, let's just change this score from a very low risk to a very high risk. And now we have an audit trail who made that change. And from here that remediation ticket automatically got created. Again, we want to eliminate redundancy. If five of your 10 vendors don't have an actual info sec policy to meet your needs, we don't want you to have to write this document over and over again. So what we did is we automated that process and we can send it out from here.

(13:02):

Last thing I want to highlight is an auto report section. We also have a quick summary, at a control level, of whether the suppliers met or did not meet each one of these needs. So security used to be limited to IT and security, but now stakeholders across your organization need to have access, need to have visibility. That's compliance, legal, procurement, the business stakeholders. So instead of answering questions, we can now give them a quick summary. You can download this document for distribution across your team as well. But like I said, we do have the ability to give multiple stakeholders access so you can actually look at that. And you can give them access if you want. But we also want to give you export capabilities from here. The last thing I want to talk about, so at the end of the day, this is really your main risk report card for your vendors. And then from here, a couple lenses we can do. We also have the ability to mark whether this supplier passed or failed. Once we do that, we can finalize the results.

(14:00):

We also have the ability to write up a final summary report. So final summary of vendor assessment. And so now what we can do is, again, we're really want to keep records for ourselves here. So now you have your notes, you have your assessment. We determined that this vendor passed with an 82 rating, that depends on your scoring methodology. And now what we can do is we can look at some reports here. So we do have the ability to look at a summary report. So this is going to be your write up. You're also going to look at scoring on a section by section basis. You're going to be able to look at all those remediation tickets that you're creating. Where do they stand? As the vendors, get those remediation tickets again, they're going to get a notification. The vendors are going to answer that questionnaire. They're going to answer that response. We're going to have all that documented on the platform that you have the ability to share with regulators, auditors, internal stakeholders as well.

(14:53):

So we ultimately have a good report. We can print this out. We can export the data in multiple different formats. So you have the ability to get access to this in many different ways. From here, we also have, as I mentioned, a risk register. So again, looking at the issues page on the top summary here, we can look at all the remediation tickets by vendor, the summary, the priority. What's their current status, created date, due date, et cetera? So a lot of ways we can filter through this data as well, by status, resolution, category. Again, we want to look at just the ones that have client data. We can filter that as well. So a lot of ways we can get to that.

(15:31):

Similarly, when we click on the vendor profile, we actually have the same capabilities, a lot of filters. So we want, again, let's just look at the ones I'm picking on client data. I want to look at just the vendors that have that. We can [inaudible 00:15:43] client data. It'll show just that list. What's their risk here? What's the score of their last assessment? What's their assessment date? If we set a next assessment date, again on these dates, you're going to get an email reminder that says this vendor's up for an assessment. And again, we have the ability to export all this information. So Privva really again, is used to make your job more efficient, have transparency, visibility into the entire program. And then we have a reporting center here on the dashboard that allows you to run multiple different reports. So a full summary report we can get to very easily.

(16:17):

If we want to compare vendors across the system, you can look at that as well. So let's look at this results comparison. I look at the results of this questionnaire for these four particular vendors. And now I can see, and in a heat matter, I can look at the results on a side by side basis. If I go back to the report section, I want to get a little bit more granular. I can look at a vendor comparison report. Again, let's select the demo security assessment and we'll pick those same four vendors. And I can get a little bit more information from there. This is going to have your list of vendors on the top with their ratings, whether they pass/failed, the scoring on a section by section basis, as well as the score on a question by question basis. And you see here, we actually can see our notes. This is the one we just created. We said that the policy didn't meet our requirement.

(17:07):

So giving you that transparency and that visibility even in the report section is really what we try to do here on the platform. So again, we can look at all those remediation tickets, as well as being able to export all the information on the system. So from a reporting perspective, we really have a great deal of content available for you to slice and dice the information depending on your lens, as well as any other stakeholders aiding your organization. So, that's an overall summary of the product. It's very easy to use, flexible. The goal is to really help you manage your risk management process related to your third parties and use the platform and run reports across your organization. So appreciate your time. Look forward to hearing from you.