In this article, you will learn how to manage and access vendor risks.
What is a vendor and a vendor risk?
A vendor is a third-party entity that your organization relies on for products, services, or support. For example, Google Workspace.
Vendor risk in compliance refers to the potential impact third-party entities may have on your organization's ability to comply with regulatory requirements or uphold internal policies. This risk becomes critical when vendors handle sensitive data such as personal identifiable information, customer data, business data and more.
Managing vendor risk in compliance involves assessing these risks, the type of data they can access, process or store, establishing clear compliance standards for vendors, and continuously monitoring their adherence to ensure compliance.
Explanation of the columns on the 'Vendors' screen
-
Vendor Name - the name of the third-party entity providing products, services, or support to your organization.
- Owner - the name of the employee responsible for managing and overseeing the relationship with the vendor.
- Lifecycle - the current status of the vendor relationship, categorized as planned, POC (Proof of Concept), active, or terminated.
- Sensitive Data - a yes/no answer to indicate whether the vendor has access to sensitive data.
- Business Impact - the importance of the vendor to your company's operations, labeled as Critical/Not critical.
- Risk Level - the potential risk the vendor poses to your company, categorized as High, Medium, or Low.
- Last Review Date - the most recent date on which the vendor's risk was assessed.
How to add a vendor?
1. Go to 'Vendors' and select 'Add Vendor'.
2. Fill in the vendor name, lifecycle, and description, and assign the vendor to an employee.
Choose a vendor from Scytale's provided list or add a custom vendor. Scytale's list includes common vendors like Zoom and Monday. When you select a vendor from this list, the description of provided services will be added automatically. Selecting a vendor from this list is recommended for accurate risk assessment.
3. Check the boxes of data types that the vendor can access, process or store. Learn more
4. Choose whether the vendor has a 'Critical' or 'Not critical' impact on your company's ongoing operations. Learn more
5. Once you have selected data types and business impact, Scytale will automatically recommend a risk level.
You can also decide the risk level that the vendor poses to your company. Learn more
6. Select 'Add Vendor'.
Note: you can add details such as last review date, reports, notes, documents and files by clicking on the vendor after it is created. Learn more
What are the different sections of the vendor panel?
When you click on a vendor, a panel will open from the right-hand side of the screen. The panel is divided into four sections:
- Vendor Details
- Potential Risk
- Assessment Details
- Files and Documents
1. Vendor Details
This section outlines basic details about the vendor including vendor name, assignee, lifecycle and the description of the services provided by the vendor.
2. Potential Risk
This section assesses the risk posed by the vendor to your company.
Data Types: These are the types of data that a vendor can possess, access, or store. The categories include:
- Personal Identifiable Information (PII): Information that can identify an individual, such as name and social security number.
- Protected Health Information (PHI): Health-related information protected under privacy laws, such as medical records.
- Customer Data: Information related to customers, including contact details and purchase history.
- Business Data: Internal data related to company operations, strategies, and communications.
- Financial Data: Information related to financial transactions, statements, and accounting records.
- Employee Personal Data: Personal information about employees, including payroll and contact details.
- Marketing Data: Information used for marketing purposes, such as campaign performance and market research.
- Other: Any additional data types not covered by the above categories.
Business Impact: This evaluates the vendor’s impact on your company’s ongoing operations, categorized as either Critical or Not Critical.
- Critical: The vendor's services are essential to the company's core operations, and any disruption could significantly impact business continuity.
- Not Critical: The vendor's services are not essential to the core operations, and any disruption would have a minimal impact on business continuity.
Risk Level: This indicates the potential risk level that the vendor poses to your company, categorized into three levels:
- High Risk: The vendor may significantly disrupt core company services or compromise sensitive customer data.
- Medium Risk: The vendor may moderately affect company services or compromise sensitive data.
- Low Risk: The vendor may have minimal effect on core company services and does not have access to sensitive data.
This section provides details about the assessment you conducted on the vendor.
Last Review Date: This is the most recent date on which you conducted an assessment of the vendor.
Reviewed Compliance Reports: This lists the vendor reports and certifications you reviewed as part of the assessment. Ensure that you also upload the actual documents to the 'Files and Documents' section at the bottom of the panel. Examples include SOC 2, ISO 27001, and PCI DSS.
Internal Notes: These notes are for internal use to document points or communicate with employees. The auditor will not be able to see these notes.
4. Files and Documents
In this section, you will find all evidence that you have uploaded to support the assessment as required by your company’s internal policies and procedures. Examples include the vendor’s SOC 2 certificate, privacy policy, etc. Your auditor may request to view these files for a selected sample of vendors.