The evaluation cycle inside S2Vendor consists of the following steps:

Inventory Vendor

Classify Vendor

Assess Vendor

Remediate Vendor

Risk Managers

Inventory is the process of adding vendors into your program. This can be done one-off by searching our existing directory or by importing a list.

Anytime but especially at the launch of your VRM program. Vendors will organically go in and out of your inventory as new projects are taken on. It's highly advisable to evaluate vendors before signing any contract. This allows you to assess their risk before agreeing to work with them.

The Vendor List acts as your inventory. All vendors will be visible from this screen at any time. You will find metrics that tally how many vendors are in your program and track your vendors' progress through the current evaluation cycle.

Creating a central repository of your vendors is critical for accountability. You can't be monitoring your vendors if you aren't aware of them.

Relationship Owners

The relationship owner is asked 10 questions about their vendor's project or service. Once these details are captured, S2Vendor will categorize the vendor as low, medium, or high risk impact. This represents how exposed your organization is by the vendor's project or service.

Classification is done immediately after the vendor is inventoried. It is sometimes described as the second step in inventorying vendors, as it catalogues vendors into useful buckets.

Clicking on the vendor's name in the Vendor List will navigate you to the vendor's evaluation. Classification is Step 1 of the evaluation.

You can also go to Vendor List > Classification tab to find a pre-filtered list of vendors in Classification.

Classification is where the relationship with the vendor is scoped. Once we know how exposed we are by the vendor, we can assess them at the appropriate level.

Vendor Team

The vendor is presented with a list of safeguards appropriate to their impact level (medium or high). They are tasked with responding True/False/N/A to each safeguard and may attach any notes or files that proves their position. The assessment determines their overall risk posture based upon how many of the standard safeguards they do or do not have.

Assessment is done after the vendor is classified. This ensures that vendors are

only assessed if need be and that if they are assessed, they receive the assessment that is appropriate to the amount of risk they expose your organization to. For example, a vendor classified as medium impact will receive the paired down medium version of the assessment.

Clicking on the vendor's name in the Vendor List will navigate you to the vendor's evaluation.

Assessment is Step 2 of the evaluation. You can also go to Vendor List > Assessment tab to find a pre-filtered list of vendors in Assessment.

Assessment is where we compare the vendor's security practices against the standard. This information is invaluable, empowering your organization to determine if a business relationship should be maintained with this vendor.

Risk Managers

Remediation is the process of addressing the risk discovered in the assessment. Inside the remediation portal, you can assign remediation tasks for the vendor to fix. You can assign a due date, lay out your criteria, and collect evidence from the vendor.

Remediation can only be done after the vendor is assessed. This is because only missing safeguards are eligible to be remediated. It is important to note that remediation is OPTIONAL.

Clicking on the vendor's name in the Vendor List will navigate you to the vendor's evaluation. Remediation is Step 3 of the evaluation.

You can also go to Vendor List > Remediation tab to find a pre-filtered list of vendors in Remediation.

Remediation is where we set our terms of engagement with the vendor. Assigning the vendor remediation tasks, gives them an opportunity to address risks that your organization does not find acceptable. Even with risk present, many vendor relationships cannot be severed. Remediation helps move the vendor into a more acceptable position on the risk scale.