Thank you, Andy, for taking time to provide more details. I probably won't setup our work in Jira, since we have our new GRC, but I'm seriously thinking about putting together "how to do TPRM on a shoestring" (or something like) which I can present at SecureWorld Seattle or some other local venue.
------------------------------
Kate Wakefield, CISSP / CIPT / CRISC
Infoblox Director of GRC
------------------------------
Original Message:
Sent: 07-13-2023 09:59 AM
From: Andy Hooper
Subject: Free or Inbuilt tool
Kate:
As mentioned, I created a new board and issue type for 'vendor' (although there are some places where we've split vendors into multiple buckets because different tools/services have different owners within our org). Then added a bunch of custom fields: Last Review Date, Annual Cost, Cybersecurity Risk [0-10], Contact Information, etc. and the appropriate statuses (for us: Discovery, Implementation, Active, Under Review, Inactive).
We've just finished the deployment by having daily jobs to calculate the [de minimus]/[average]/[critical] vendor category from the various expense and risk scores and set the priority field (based on written policy). Also there is a daily process that uses criticality and last review date to calculate the next review date, and create and assign a subtask to the vendor owner 30 days before the review is due, and move the 'vendor' issue from 'active' to 'under review' status.
It's minimal, but it's 40x better than what we had, and it will move a lot of this to the appropriate parties.
Also, as with SmartSheets, there are form and workflow builders that you add in to force review to go through the appropriate people/departments if you're so inclined.
Andy
Original Message:
Sent: 7/12/2023 10:42:00 AM
From: Kate Wakefield
Subject: RE: Free or Inbuilt tool
Andy -
I would be interested to understand how you use Jira. We now manage the assessments in our GRC, but Jira is our issue tracker of choice in the engineering side.
------------------------------
Kate Wakefield, CISSP / CIPT / CRISC
Infoblox Director of GRC
------------------------------
Original Message:
Sent: 07-12-2023 10:07 AM
From: Andy Hooper
Subject: Free or Inbuilt tool
Srinivasa:
Like Kate, we decided to re-use an existing project management tool for TPRM, in our case Jira rather than Smartsheets (we use both in IT).
We created a new "issue" type for each vendor with the risk categories we are interested in, contact information, etc. and automated the overall risk category assessment and the creation of assigned review sub-tasks under each to the vendor owner. Jira is great for collecting notes/updates as well as files within the "issue" base structure, which is why we chose it.
It's coming along – not complete yet, but I think a workable tool for our needs (about the same as yours, 100ish vendors).
Andy
Original Message:
Sent: 7/12/2023 9:22:00 AM
From: Kate Wakefield
Subject: RE: Free or Inbuilt tool
Srinivasa -
Before Infoblox purchased a GRC tool, we managed tracking of assessments using Smartsheets. This is not a solution for mailing out questionnaires, but does allow creation of an intake form for new vendor assessments, tracking of status and due dates, and automated email reminders. I am a bit slammed with our fiscal year end assessments, but I would be happy to meet via Zoom and share some tips and tricks of how to do TPRM on a shoestring.
Perhaps this would be a good topic for a discussion? I haven't seen much activity on the Bay Area TPRM Slack community lately. Not sure if you've been part of that group. KW
------------------------------
Kate Wakefield, CISSP / CIPT / CRISC
Infoblox Director of GRC