Vendor Risk Management FAQs for MSPs

 

The following Help Center article is for Vanta's Managed Service Providers. For additional questions, please reach out to your Vanta Channel Representative. 

 

Can I use this to see how much money I'm spending on each vendor? 

  • No, however, we are excited to show you how many seats you remove as a result of each vendor review in the VRM dashboard as well as your redundant vendors. For example, two sales automation tools with the same functionality, and show you which of your employees are using each vendor, but don't have plans to help track vendor spend.

Can I use this product to keep track of vendor contracts?

  • That's not what this was designed to be used for, but you can upload contracts into the references tab within the vendor profile if you so choose. We have added the Contract Start Date field to the vendor profile overview tab and a Contract Review quick view.

Can I connect to my SSO and my IDP? 

  • Yes, you can detect vendors across multiple IdPs with this product.

I have a few different questionnaires that I like to send to vendors, can I upload those here? 

  • Yes, you can use the private links feature to create a link to a unique page hosted on Vanta where your vendor can upload the documents you request as well as view the questionnaire you need them to answer. This streamlines the back and forth usually involved in receiving security information from the vendor. 

Where does the risk score come from? 

  • You get to configure the high-level vendor risk definitions on the Settings page. We then cross-reference what we know about the vendors with your rubric to generate the risk.

How do you know what type of information the different vendors process?

  • Good question. We infer vendor attributes based on the vendor category. If you have an "un scored" vendor, if you first add the category, you'll see our "guess" at what type of data it processes, etc.

Can I manually adjust the risk of the vendor? 

  • Yes, you can manually configure the risk within the Risk tab in the vendor profile.

Can I move a vendor back from “All Vendors” to “Discovery”?

  • Not as of November, 2023. You can Archive a vendor that you've added, but you can't move it back to Discovery. Just like "Ignored" vendors in the Discovery tab, you can always see and unarchive all of your Archived vendors. The ability to view all vendors linked to discovery and send a vendor back to the discovery page is coming soon.

Which vendors should I add? 

  • Some VRM customers add every single vendor that they've procured. Others only add their critical or high-risk vendors (based on their own risk rubric definitions).

Should I also think of my high-risk vendors as my critical vendors that I need to perform annual diligence on, according to my vendor management policy? 

  • That's up to you, but yes, most of our customers perform annual diligence on all of their "high" inherent risk vendors. Most of our VRM customers reference their third-party management policies to know which vendors to do any diligence on.

Can I group all products from a single public company together? 

  • You can, but that's not how the product was designed to be used. We encourage you to think of a vendor as a business unit that you need to do unique infosec diligence on. E.g. Jira and Confluence each have their own SOC 2 reports, so we encourage you to add those as unique "vendors."

Can I initiate UARs from within the vendor profile? 

  • Not yet, however once we’ve detected the vendor, you can switch to the Access Reviews product using the navigation and create a new review to examine access for that vendor. 

Who is the Security Owner?

  • The security owner is meant to be the person who is responsible for doing the security diligence on the vendor. Right now it's tied to a single user, but later you'll be able to assign a team as the Security Owner. Worth noting that in the future, since we're connected to your HRIS we'll be able to alert you when a vendor Security Owner is no longer an employee—just in case you missed it!

Is there an easy way to see vendors who are currently in procurement? 

  • There isn't a quick view to see vendors who are in procurement today, but that's coming soon. When you're doing initial diligence on a vendor, we expect it'll be discovered if you're doing a trial and get login credentials, otherwise, you can manually add the vendor to do the diligence. What does your vendor intake flow look like?

Does this integrate with contract management tools like Ironclad or Vendr? 

  • Vanta integrates with Vendr to pull in your vendors, but we don't integrate with any contract management tools to pull in vendors that are in procurement.

Does this integrate with MDMs? 

  • Not yet, but those are coming very very soon. Which MDM do you use? If we integrate with it on the compliance side of the house, we'll be able to integrate with it here too.

Can you pull in whether or not someone has a SOC 2 into the vendor profile? 

  • Not as of November, 2023, but it's something that we're discussing. We can tell you whether or not one of your vendors is also a Vanta customer, and let you go quickly see their Trust Report.

Can I see the last login date for these applications? 

  • Unfortunately no, but we do plan on giving you more and more information about these discovered vendors over time, to make it that much easier for you to triage them.

I added the same vendor twice, can I merge them? 

  • Yes, we have this feature.

Can you automatically pull in a company's SOC 2? 

  • We can't automatically pull in a compliance report, but if the vendor is also a Vanta customer we can tell you that and let you quickly click into their Trust Report. If the vendor has a Trust Center, the report available on the vendor details page will indicate that with a link to their trust center. 

Contact Us

Updated