How do I think about this section of the product?
- The Vendors page is where you will review the vendors you work with. It also gives you a space to manage your vendors and ensure they meet your security standards.
- It allows you to add, edit, and manage vendors in one place, making it easier to keep track of all your organization's vendors.
- You can conduct comprehensive security reviews of your vendors. This helps you proactively mitigate any risks associated with the vendors you utilize.
- It provides a centralized location to assess and manage vendors' risks. You can assign risk scores, upload security reviews, and archive vendors if needed.
Do I need to fill out the Vendors page?
- You will complete the Vendor's page. Vendors will appear on the Vendor page if you add an integration within Vanta or manually add the vendor.
What Vendors do I need to include?
- Any vendor that has access to or manages your sensitive customer data is typically considered in scope. This includes vendors that provide services like cloud storage, payment processing, customer support, and more.
- Vanta recommends conducting security assessments primarily on high-risk vendors. However, if you deem it necessary, you can also include assessments for medium and low-risk vendors. Remember, the goal is to understand the potential risks associated with using a vendor's product or service, and to ensure that quality security practices are being maintained on an ongoing basis. If a vendor doesn't have security documentation like a SOC 2 Report, you can send them a security questionnaire from the Vendors page in Vanta
- Below is a list of links to common vendor's security reports:
- AWS: SOC 2 request
- GitHub: SOC 2 request
- Anything Atlassian: Atlassian security
- Google: SOC 2 & SOC 3 request
- Slack: Slack security
- Vanta: Vanta security
- Azure/Office: Azure/Office security
- GitLab: GitLab security
- Bitbucket: SOC 2 request
- 1Password: SOC 2 request
- Open AI: Open AI security
- Notion: Notion security
How should I be scoring my Vendors?
- Use the following image to determine what risk should be assigned to each Vendor:
Do I need a security review for each vendor?
- No. Only vendors marked as Critical or High Risk will need a security review.
What do I need to review? What will my auditors be looking for?
- You will need to review a security report/document for your Critical/High-Risk Vendors. This could include reports like SOC 1, SOC 2, SOC 3, ISO 27001, etc. You will want to thoroughly examine that vendor's security practices and procedures and note any findings that could potentially risk your organization's/customer data.
- The goal is to ensure that all vendors handling sensitive data have appropriate security measures. This is part of the risk management process and helps ensure that your organization's data is protected, even when it's in the hands of third-party vendors.
What if one of my vendors can’t provide a report listed above?
- You can send them a security questionnaire to complete
How do I complete this in Vanta?
- We have lots of resources available to walk you through these steps:
If you are looking for a more robust tool to manage all of your Vendors, check out our Vendor Risk Management Tool
Updated