Risk Manager - The program manager responsible for making all key decisions in a vendor's evaluation. Characterized by the ability to add vendors, add team members, change program settings, approve questionnaire results, order validations, and use the remediation portal. The privileges assigned to this role are the most expansive, allowing the Risk Manager to push a vendor's evaluation through to completion.
Relationship Owner - Each vendor has a team member that is the designated relationship owner. This ensures that one person in the organization is responsible for maintaining accurate contact information. The relationship owner must have knowledge of the vendor's services or project.
Vendor Contact - A contact at the vendor who can answer assessments regarding their organization's information security posture.
Evaluation - An umbrella term used to describe the entire process of assessing a vendor from the time of activation to the final outcome decision that closes the evaluation. By default, evaluations are scheduled one year out from the time that a final outcome decision is made. Evaluations can be pulled up or pushed back dependent on business need.
Classification Questionnaire - First step in the evaluation process that determines the inherent risk that a vendor brings to the customer organization. Inherent risk being the amount of risk that exists in the absence of controls. The classification questionnaire results are scored, resulting in an impact level designation.
Impact Level - Results from the classification questionnaire that fall into low, medium, or high buckets.
Low - Vendor has no access to sensitive information and/or services. Vendor has no public-facing component. No critical business pact.
Medium - Criteria include vendors that make information available on a public portal, Vendors with public-facing application not using sensitive data. Vendors utilizing a cloud service.
High - Vendors that have access to sensitive information and/or services. Vendors with a significant number of records/users. Vendor reporting no security or vulnerability assessment. Vendor utilizing a cloud service.
Self-Assessment - Medium and high-impact vendors complete self-assessments to determine the residual risk that their organizations bring to the customer organization. Residual risk being the amount of risk that remains after controls (policies, safety measures, etc.) are accounted for. The self-assessment responses are scored to produce a S2Score.
High - Complete a full S2Score assessment
Medium - Complete a shorter, abbreviated version of the full S2Score assessment. Still results in S2Score.
S2Score - A score derived from the S2Score assessment, a comprehensive information security assessment based on ISO and NIST. Comprised of 663 statements and covering all 4 control areas - administrative, physical, internal technical, and external technical. Results in a S2Score on a scale of 300 to 850 with 850 being perfect
780-850: Excellent
660-780: Good
600-660: Fair
500-600: Poor
300-500: Very Poor
Remediation - The customer organization has the option to work with the vendor in remedying any area of the vendor's information security posture that was assessed to be less than perfect (lower than 850.) In the remediation portal, Risk Managers can build a remediation plan complete with due dates, attachments and notes.
Final Determination - The final decision that ends the vendor's evaluation. Represents the organization's acceptance of the vendor's risk.
The 2 final outcomes are:
Accepted - The vendor's evaluation will be approved without further discovery into risks. The vendor will be automatically scheduled for a follow-up evaluation to take place in 365 days.
Rejected - The vendor's evaluation will be rejected without further discovery into risks.