Reporting

Hi all, 

We are using Security Scorecard and would like to understand how other organizations are layering in the data points to third-party risk reporting/due diligence/risk assessments/etc. 

Any insights to your process flow would be greatly appreciated, thank you

Formalizing which of your vendors requires continuous monitoring would be the first step in using and incorporating Security Scorecard into your policy. From there, utilizing the data in onboarding and ongoing lifecycles is recommended.

The data can drive questions and conversations with the vendor during the due diligence process. Certain risk factors could lead to targeted questions to understand the level of risk associated to the vendor and help your legal team incorporate the appropriate language into the contract.

By focusing on specific risk factors, such as Patching Cadence scores, targeted inquiries can be made to assess a vendor's risk profile and ensure contractual language reflects the necessary security commitments Documentation of these interactions could be stored in questionnaires, oversight tasks, risk assessments, issue management, or a combination of these.

• Questionnaires: External questionnaires can be sent to the vendor to ask for documentation and address any concerns.
• Oversight Task: Did they provide documentation to validate scores or address concerns? Was it an acceptable outcome or does it need improvement?
• Issue Management: Needed improvement? Let's remediate here.
• Risk Assessment: Residual Risk is the place to show you've mitigated your risk. Attach supporting documentation or show proof of an acceptable Security Scorecard rating here.
• Reporting is available from each of these workspaces to gather data quickly when needed.

These are the most common ways I see Security Scorecard being used within TPRM. I would love to hear how other members are layering in the data points to third-party risk too.