As your vendors become privy to more of your sensitive systems and data, their risk and compliance posture becomes even more important to your security. Best practice is to assess your vendors on a regular basis, but until now, it has been a time-consuming and error-prone exercise comprised of spreadsheets, email, and rudimentary legacy risk management tools.

 Zone.sd Vendor Risk Management transforms

risk magnet

 the way you manage vendor risk through vital reporting of vendor risk and issues, a consistent assessment and remediation process, and automating assessment procedures. It provides a means to facilitate stakeholder interactions, drive transparency and accountability, and effectively monitor vendor-related risks. By aligning vendor risk management with overall enterprise risk management priorities, you can create a stronger enterprise risk posture. Dashboards and reporting Dashboards and reporting provide visibility into your assessment plans, open issues, and risk across your vendor ecosystem. Dashboards are customizable, while reports can be scheduled or run on-demand. Both are a standard part of the platform.

 Vendor portfolio

 is your database of vendors and vendor information. This includes the vendor contacts you interact with, the business services and products that the vendors fulfill, vendor assessment records and documentation, along with other general vendor information. The existing company table within zone.sd is the default for compiling vendor data. If you already have vendor information in zone.sd

 From another system, such as an asset discovery service or Vendor Performance, it is immediately available to Vendor Risk Management. Vendor information can be updated manually or be integrated with an existing supplier management system, using the zone.sd platform integration capabilities. Also, a self-service portal is available so vendors can maintain and update their own information. Benefits Gain Efficiencies through Automation Deliver a system of engagement to manage stakeholder relationships, automate routine processes and risk scoring, and manage risk throughout the vendor assessment life cycle. Reduce Your Risk Exposure Monitor risks and issues in your vendor environment, and assess the impact to the organization’s risk posture. Respond to High-Risk Vendors Accelerate decision-making across stakeholders and facilitate cross functional remediation and risk mitigation processes. Leverage a Unified Platform Speed assessment, scoring, and risk prioritization of vendors by using GRC indicators and vendor risk scores.  Vendor risk overview dashboard

 Zone.sd Assessment management

 Allows you to create templates of assessments, which is a combination of questionnaires and document requests. Assessments can be designed to support your vendor risk tier and classification schema. The assessment designer allows you to standardize your key document requests and convert your Excel-based questionnaires. Assessments can be sent to vendors on a defined schedule or on an ad hoc basis to accommodate for such things as security concerns around the installation of a new critical patch or news media concerns. Both can leverage either internally developed assessments or the built-in Shared Assessments Standardized Information Gathering (SIG) questionnaire to streamline the process for collecting, parsing, and scoring a risk assessment. Automated scoring of assessment responses can use the robust hierarchical weighted scoring framework that is fully configurable. Vendor portal All vendor interaction and communication is centralized in a user-friendly vendor portal to eliminate inefficient email communications and status tracking via spreadsheets. The vendor can manage their response team, inviting members from their various functional groups to collaborate, and assigning tasks within the vendor portal. The vendor portal provides you and your vendor stakeholder’s visibility and transparency on the status of assessments, issues, and tasks.

 Issues and remediation

The zone.sd platform enables cross-functional cooperation for issue management based on assessments. When an issue is identified, it is easy to collaborate with the vendor and subject matter experts to design remediation plans; this also makes it easier for the vendor to define and respond to issue remediation. You can associate issues to risks, controls, and risk ratings at a questionnaire and assessment level. A status column identifies the critical issues that could have the greatest impact on the vendor’s risk posture and warrant immediate attention with the vendor

 Notifications

 keep you informed of events that concern you; options include email, SMS text message, or push notification. A unified GRC program The Vendor Risk Management application is the latest addition to the Governance, Risk, and Compliance (GRC) suite of applications. It can be used in conjunction with the core GRC applications. For example, when a vendor is linked to a GRC “profile type,” then any controls applied are assigned to that vendor’s profile. This control requirement would then be visible in the Vendor Risk Management application.

Vendor Risk Management

 Issues can be associated with an internal risk in GRC when a vendor is assigned as a profile; providing linkage and monitoring capabilities.

 Using the Policy and Compliance Management application

 Individual questions can be mapped to a vendor’s control and the response can impact that control—marking it as “compliant” or “non-compliant” during the review. This can be used to provide top-down traceability from an authority document or compliance requirement to the question in a questionnaire for a specific vendor. Through the Risk Management application, non-compliant controls can automatically adjust the score of risks associated with that vendor.

 The Vendor Risk Management application on the zone.sd

a platform eliminates the need for multiple applications used to communicate with and assess vendors, ensures consistent process executions, workload management, and various avenues of reporting. The Configuration Management Database (CMDB) integration can be used to accelerate dependencies mapping and fine-grained impact analysis. The service management platform can facilitate testing and evidence data collection of the vendors’ process and IT controls, at scale. Using the GRC and security applications on the zone.sd platform, you can provide your organization with a more comprehensive definition and proactive approach to managing risk, compliance, and security