Information Security

 View Only
  • 1.  Vendors not completing IT Security Questionnaire via 3rd Party Platform

    Posted 04-26-2023 08:25 AM

    Has anyone ever experienced vendors not wanting to complete your IT Security Questionnaire via using the Venminder Platform?  If yes, how did you handle this?  I have a Vendor, who is insisting on completing via excel, word, or pdf file.  I am trying to push our method because I am trying to get this over into one platform and process.  Any suggestions or comments on how to handle this vendor?



  • 2.  RE: Vendors not completing IT Security Questionnaire via 3rd Party Platform

    Posted 04-26-2023 08:58 AM

    I may be wrong, but I believe Venminder has an option to export to Excel and then you can email that and reenter the results on your side. It's an extra step, but if it's a vendor you truly want to utilize, it may be a workaround.

     






  • 3.  RE: Vendors not completing IT Security Questionnaire via 3rd Party Platform

    Posted 04-26-2023 08:59 AM

    David, I experience this with about 15-20% of all our vendors. Some companies just refuse to use a third-party platform/ portal due to their internal policies, and sometimes it mitigates their risk of proprietary data being shared without the 3-way NDAs having to be executed. As a workaround, I copied the Venminder questionnaire template to an Excel version and I email it directly to the vendor. This adds extra steps, but occasionally this has to be done to accommodate the vendor. 




  • 4.  RE: Vendors not completing IT Security Questionnaire via 3rd Party Platform

    Posted 04-26-2023 09:34 AM

    David, I can speak from the perspective of the person who in responsible for completing assessments where our clients view our financial organization as their vendor.  In my experience, completing assessments are more manageable in an excel format.  This allows the spreadsheet (which is saved as a Master Draft) to be updated with notes, SME assignments, and various color-coding. Platforms tend to limit access which hinders the process as information must be obtained from SME across the enterprise. Third party platforms are interactive and depending on the response will populate with additional questions that are not initially apparent. Having all the questions listed allows for assigning them to the SMEs at one time. Completing assessments is an on-going process with many starts/stops as information is obtained and updated within the Master Draft. I typically am processing at least 15 open requests at one time.  Being able to add notes to an excel formatted assessments assists in managing the process and workflow. 

    If our client uses a third party platform, NDAs must be obtained from that vendor before sharing our confidential, sensitive, and proprietary information. 




  • 5.  RE: Vendors not completing IT Security Questionnaire via 3rd Party Platform

    This message was posted by a user wishing to remain anonymous
    Posted 04-27-2023 11:00 AM
    This message was posted by a user wishing to remain anonymous

    We are having similar issues: more and more vendors not only don't want to use third party platform, but they don't even want to complete questionnaire at all, instead, they provide their due diligence packet 😊 I think, unfortunately, that's the future we are heading to.

    Thanks. 




  • 6.  RE: Vendors not completing IT Security Questionnaire via 3rd Party Platform

    Posted 04-26-2023 09:02 AM
    That happens to us periodically. We simply export the questionnaire to excel and have the vendor complete, then store the completed excel file in Documents storage for the vendor. 





  • 7.  RE: Vendors not completing IT Security Questionnaire via 3rd Party Platform

    This message was posted by a user wishing to remain anonymous
    Posted 04-26-2023 09:05 AM
    This message was posted by a user wishing to remain anonymous

    1. We always have an NDA with our vendors and vendors who refuse to use our vendor management system may request 1) an NDA with our vendor management system, or 2) a tri-party NDA with our vendor management system provider, us and the vendor.
      2.  Our vendor management system allows us to export our questionnaire and when the vendor returns via secured email, we will import into the system.



  • 8.  RE: Vendors not completing IT Security Questionnaire via 3rd Party Platform

    Posted 04-26-2023 09:32 AM

    GM,

    there are 2 options from my experience:
    1. Nicholas is right on, especially if there are only a small % of vendors fighting your centralized process.  A bit of work on your side, however you will always find outliers.  So, just deal with it as an exception to the process - there are some many challenges re the TPRM thread, this situation seems like win - OR
    2. Can you provide artifacts and have a chat with your vendor (maybe, Venminder can join your discussion) re the level of security in place re Venminder's portal - if this fails, then #1 - treat it as a "one off" exception to our centralized process

    cheers, John -  happy to chat: [Email has been removed by the Community Manager due to privacy reasons. You can reach out to the community member directly by clicking on their name, which will redirect you to their member profile to view their contact information.]
    ------------------------------
    john peck
    ------------------------------