Vendors

In this article, you will learn how to manage and access vendor risks.

What is a vendor and a vendor risk?

A vendor is a third-party entity that your organization relies on for products, services, or support. For example, Google Workspace.

Vendor risk in compliance refers to the potential impact third-party entities may have on your organization's ability to comply with regulatory requirements or uphold internal policies. This risk becomes critical when vendors handle sensitive data such as personal identifiable information, customer data, business data and more. 

Managing vendor risk in compliance involves assessing these risks, the type of data they can access, process or store, establishing clear compliance standards for vendors, and continuously monitoring their adherence to ensure compliance. 

Explanation of the columns on the 'Vendors' screen 

  • Vendor Name - the name of the third-party entity providing products, services, or support to your organization.

  • Lifecycle - the current status of the vendor relationship, categorized as planned, POC (Proof of Concept), active, or terminated.
  • Owner - the name of the employee responsible for managing and overseeing the relationship with the vendor.
  • Business Impact - the importance of the vendor to your company's operations, labeled as Critical/Not critical.
  • Risk Level -  the potential risk the vendor poses to your company, categorized as High, Medium, or Low.
  • Last Review Date - the most recent date on which the vendor's risk was assessed.

How to add a vendor?

1. Go to 'Vendors' and select 'Add Vendor'.

2. Fill in the vendor name, lifecycle, last review date, description, and assign the vendor to an employee.

Then choose the Business Impact and Data Classification.

Choose whether the vendor has a 'Critical' or 'Not critical' impact on your company's ongoing operations. Learn more

Choose a vendor from Scytale's provided list or add a custom vendor. Scytale's list includes common vendors like Zoom and Monday. When you select a vendor from this list, the description of provided services will be added automatically. Selecting a vendor from this list is recommended for accurate risk assessment.

3. Assess the CIA Risk. Choose a risk between 1 (low), 2 (medium) 3 (high) for Confidentiality, Integrity and Availability. Scytale will then do the calculation of the CIA Risk. This will be the Risk Level. Learn more

4. Check the boxes of data types that the vendor can access, process or store. Learn more

5. Lastly if GDPR applies to the vendor, select their role under GDPR and check the box if they are DPA Reviewed. If GDPR does not apply to the vendor, simply leave the section out.

6. Select 'Save' to add the new Vendor.

Note: add details such as the terms of use link, reviewed reports, notes, and  documents and files by clicking on the vendor after it is created. Learn more

                       

Data Types: These are the types of data that a vendor can possess, access, or store. The categories include:

  • Personal Identifiable Information (PII): Information that can identify an individual, such as name and social security number.
  • Protected Health Information (PHI): Health-related information protected under privacy laws, such as medical records.
  • Customer Data: Information related to customers, including contact details and purchase history.
  • Business Data: Internal data related to company operations, strategies, and communications.
  • Financial Data: Information related to financial transactions, statements, and accounting records.
  • Employee Personal Data: Personal information about employees, including payroll and contact details.
  • Marketing Data: Information used for marketing purposes, such as campaign performance and market research.
  • Other: Any additional data types not covered by the above categories.

                                                                                                                                                                Business Impact: This evaluates the vendor’s impact on your company’s ongoing operations, categorized as either Critical or Not Critical.

  • Critical: The vendor's services are essential to the company's core operations, and any disruption could significantly impact business continuity.
  • Not Critical: The vendor's services are not essential to the core operations, and any disruption would have a minimal impact on business continuity.

                                                                                                                                                                Risk Level: This indicates the potential risk level that the vendor poses to your company, categorized into three levels:

  • High Risk: The vendor may significantly disrupt core company services or compromise sensitive customer data.
  • Medium Risk: The vendor may moderately affect company services or compromise sensitive data.
  • Low Risk: The vendor may have minimal effect on core company services and does not have access to sensitive data.

Assessment Details

This section provides details about the assessment you conducted on the vendor.                      

Terms of use link: provides detailed conditions and guidelines related to the management, responsibilities, and limitations associated with handling the risk.

Reviewed Reports: This lists the vendor reports and certifications you reviewed as part of the assessment. Ensure that you also upload the actual documents to the 'Files and Documents' section at the bottom of the panel. Examples include SOC 2, ISO 27001, and PCI DSS.                                                                       

Notes (Optional): These notes are for internal use to document points or communicate with employees. The auditor will not be able to see these notes.

Files and Documents: In this section, you will find all evidence that you have uploaded to support the assessment as required by your company’s internal policies and procedures. Examples include the vendor’s SOC 2 certificate, privacy policy, etc. Your auditor may request to view these files for a selected sample of vendors.