The evaluation cycle inside S2Vendor consists of the following steps:
Inventory Vendor
Who inventories vendors?
Risk Managers
What is inventory?
Inventory is the process of adding vendors into your program. This can be done one-off by searching our existing directory or by importing a list.
When is inventory?
Anytime but especially at the launch of your VRM program. Vendors will organically go in and out of your inventory as new projects are taken on. It's highly advisable to evaluate vendors before signing any contract. This allows you to assess their risk before agreeing to work with them.
Where is the inventory?
The Vendor List acts as your inventory. All vendors will be visible from this screen at any time. You will find metrics that tally how many vendors are in your program and track your vendors' progress through the current evaluation cycle.
Why do we inventory?
Creating a central repository of your vendors is critical for accountability. You can't be monitoring your vendors if you aren't aware of them.
Classify Vendor
Who classifies vendors?
Relationship Owners
What is classification?
The relationship owner is asked 10 questions about their vendor's project or service. Once these details are captured, S2Vendor will categorize the vendor as low, medium, or high risk impact. This represents how exposed your organization is by the vendor's project or service.
When is classification done?
Classification is done immediately after the vendor is inventoried. It is sometimes described as the second step in inventorying vendors, as it catalogues vendors into useful buckets.
Where is classification?
Clicking on the vendor's name in the Vendor List will navigate you to the vendor's evaluation. Classification is Step 1 of the evaluation.
You can also go to Vendor List > Classification tab to find a pre-filtered list of vendors in Classification.
Why do we classify?
Classification is where the relationship with the vendor is scoped. Once we know how exposed we are by the vendor, we can assess them at the appropriate level.
Assess Vendor
Who assesses vendors?
Vendor Team
What is assessment?
The vendor is presented with a list of safeguards appropriate to their impact level (medium or high). They are tasked with responding True/False/N/A to each safeguard and may attach any notes or files that proves their position. The assessment determines their overall risk posture based upon how many of the standard safeguards they do or do not have.
When is assessment done?
Assessment is done after the vendor is classified. This ensures that vendors are
only assessed if need be and that if they are assessed, they receive the assessment that is appropriate to the amount of risk they expose your organization to. For example, a vendor classified as medium impact will receive the paired down medium version of the assessment.
Where is assessment?
Clicking on the vendor's name in the Vendor List will navigate you to the vendor's evaluation.
Assessment is Step 2 of the evaluation. You can also go to Vendor List > Assessment tab to find a pre-filtered list of vendors in Assessment.
Why do we assess?
Assessment is where we compare the vendor's security practices against the standard. This information is invaluable, empowering your organization to determine if a business relationship should be maintained with this vendor.
Remediate Vendor
Who remediates vendors?
Risk Managers
What is remediation?
Remediation is the process of addressing the risk discovered in the assessment. Inside the remediation portal, you can assign remediation tasks for the vendor to fix. You can assign a due date, lay out your criteria, and collect evidence from the vendor.
When is remediation done?
Remediation can only be done after the vendor is assessed. This is because only missing safeguards are eligible to be remediated. It is important to note that remediation is OPTIONAL.
Where is remediation?
Clicking on the vendor's name in the Vendor List will navigate you to the vendor's evaluation. Remediation is Step 3 of the evaluation.
You can also go to Vendor List > Remediation tab to find a pre-filtered list of vendors in Remediation.
Why do we remediate?
Remediation is where we set our terms of engagement with the vendor. Assigning the vendor remediation tasks, gives them an opportunity to address risks that your organization does not find acceptable. Even with risk present, many vendor relationships cannot be severed. Remediation helps move the vendor into a more acceptable position on the risk scale.