Vendor Risk Management Settings

  • Updated

Security questionnaires

A security questionnaire is a document or survey used by organizations to assess the security practices, policies, and overall security posture of a potential vendor, partner, or other third party. These questionnaires typically contain questions designed to evaluate the entity's approach to protecting data, managing risks, and adhering to industry standards and regulatory requirements. Leverage Vanta's prebuilt security questionnaire, or upload your own.

  • You can upload a new questionnaire from the Vendor's settings page by selecting +Add questionnaire. 
    • Upload files up to 50 MB of the following types: .xls, .xlsx

Screenshot 2024-10-14 at 4.08.00 PM.png

  • Include a questionnaire name and description
  • Select Upload 

Screenshot 2024-10-14 at 4.09.11 PM.png

  • You can also use Vanta's default questionnaire, crafted by Vanta's security team

Screenshot 2024-10-14 at 4.10.20 PM.png

  • Managing your questionnaires
    • Eye icon: Preview the questionnaire 
    • Download: Download the questionnaire to your desktop
    • Three-dot menu: Delete the questionnaire 

Screenshot 2024-10-14 at 4.12.18 PM.png

Vanta AI Templates

Import your predefined question templates for Vanta AI to answer automatically. If you would like help crafting questions, use our VRM AI guide.

  • From the Settings page, select Vanta AI templates
  • You can Add a new template or take advantage of Vanta's default template

Screenshot 2024-10-14 at 4.22.17 PM.png

  • If you would like to use Vanta's template and build upon it, select the three-dot menu and choose Duplicate template

Screenshot 2024-10-14 at 4.24.18 PM.png

  • If you would like to delete any custom templates, select the three-dot menu and choose Delete template 

Screenshot 2024-10-14 at 4.25.23 PM.png

Inherent Risk Rubric 

The Inherent risk rubric customization feature is part of our Vendor Risk Management product. With auto risk scoring, each vendor will receive a score that reflects the level of risk they pose to your organization based on the criteria you have established. This can help you make more informed decisions about vendor selection, risk mitigation, and ongoing Vendor management.

  • From the left-hand navigation panel, select Vendors 
  • Open the Settings page and select the Inherent risk rubric tab 
  • Select Edit this rubric

Screenshot 2024-07-15 at 10.28.38 AM.png

Risk Rubric Sections 

Screenshot 2024-07-15 at 10.30.55 AM.png

Editing a default section 

  • The default sections can be edited by selecting the pencil icon
  • Edit the name and choose if you would like the section to be enabled by toggling it on
  • Select Save

Screenshot 2024-07-15 at 10.39.03 AM.png

Adding a custom attribute to a default section

  • Select the + icon in the default section 

Screenshot 2024-07-15 at 10.54.24 AM.png

  • Add a name, status (enabled or not enabled), description, and score, and map it to any relevant vendor categories. 

Screenshot 2024-07-15 at 10.57.06 AM.png

  • Select Save

Creating a custom section 

  • Select + Add new section
  • Provide a section name, and add any custom attributes you would like listed under the section. 
  • Add a description and score to each new attribute
  • Select Save

Screenshot 2024-07-15 at 10.43.37 AM.png

Security Review Risk Scoring

  • Once a security review has begun, you can leverage the auto-risk scoring or manually assign a risk level to the vendor.
  • Open the Vendor review and select the pencil icon next to Inherent risk 
  • From here, you can manually assign risk by choosing the edit drop-down

Screenshot 2024-07-15 at 11.19.27 AM.png

Or

  • You can leverage the auto-score by toggling Auto-score based on risk attributes and inherent risk auto-score configuration to on

Screenshot 2024-07-15 at 11.31.05 AM.png

  • If you are using auto-scoring, complete the Risk attributes section to provide enough context for calculating the score.

Screenshot 2024-07-15 at 11.33.24 AM.png

Security Review Rules 

Frequency & Preferred Evidence 

  • From the VRM settings, you can set default evidence requirements when requesting vendor documentation based on the vendor's risk level.
  • Select Edit 

Screenshot 2024-10-14 at 4.30.24 PM.png

  • Select the review frequency from the dropdown and any preferred pieces of evidence. Vanta will default to these preferences, but items can be added or removed during the vendor review.
  • Select Save

Screenshot 2024-10-14 at 4.32.28 PM.png