Sprinto Dashboard

Vendor Risk Assessment

Why is a Vendor Risk Assessment Important?

Just like you are trying to get security compliant, it is important for your vendors also to be security compliant, especially vendors who have access to confidential customer data, so that you can confidently do business with your end-customers. Before you do a vendor risk assessment, you need to first add all vendors you work with and do a risk evaluation. Quick Steps below

On a high level, vendor risk assessment consists of 3 steps:

  1. Add all the vendors to the library.

  2. Classify the data level access each vendor has access. Based on the data level access, assign a risk level to each vendor amongst high, medium, low or none.

  3. For all “High” risk vendors, complete vendor due diligence.

Detailed steps mentioned below:

Step 1. Go to “Vendors” section on the dashboard

Step 2. Select “Add vendors from Library” and add all the vendors you work with. What might also help is is looking at your credit card bill and identify all the vendors who have invoiced you.

Step 3. Assess each vendor carefully to mark what kind/type of data they store. There is a Risk level section too that will help you identify whether your vendor is a High/Medium/Low risk. Sprinto will automatically give a recommendation to your Risk Level based on the data level access selection you make OR type of data they store. For all the vendors that you classify as “high risk”, there should be some due diligence to ensure that the vendors are also following secure practices internally from a security and availability standpoint. The most common way to do this to procure and review their compliance posture reports like SOC 2, ISO 27001, SOC 3 etc. If no such report is available as of date, security white papers or any other document which demonstrates their commitment to security and availability can be procured for review. In the worst case scenario, you can ask them to fill a vendor security questionnaire. Sprinto can help you with templates for the same if needed. Finally, the report/questionnaire that you end up reviewing has to be uploaded on Sprinto by clicking on the “Attach” item for each "high" risk vendor.

Step 4. Once you have listed all your vendors and evaluated their Risk levels, go to “Risk Assessment” section on the page and select “Start Vendor Risk assessment”

Step 5. As an infosec officer, you need to assess all the vendors a final time/their risk level before selecting the option at the bottom “I have performed the risk assessment as per management policy for the above vendors. All risks are reviewed and transferred to these vendors” and Finish the review.

PreviousResolve Sprinto Check To Ensure Product Application Redirects HTTP to HTTPS ProtocolNextSync GCP Project Users from GCP Groups