Risk Assessments

 View Only

  • 1.  Risk Assessments as a Service

    This message was posted by a user wishing to remain anonymous
    Posted 08-23-2021 08:28 AM
    This message was posted by a user wishing to remain anonymous

    Hello!  We are beginning the process of reviewing vendors who perform risk assessments as a stand-alone service. We are not looking to move to a new vendor management system at this time, but are looking for vendors who can provide complete and compliant risk assessments, perhaps from a library of common vendors, or as a stand alone. 

    Does anyone have any recommendations or experience with such firms?  The security piece is important and we are considering firms like SecurityScorecard as well as more wholistic reviews. I haven't done any demos yet- looking for recommendations and experience from the group if you have any to share.


  • 2.  RE: Risk Assessments as a Service

    This message was posted by a user wishing to remain anonymous
    Posted 08-23-2021 08:59 AM
    This message was posted by a user wishing to remain anonymous

    ​The only service like that I am aware of is KY3P (Know Your 3rd Party) from IHS Markit, but it is still in its infancy.
    Original Message


  • 3.  RE: Risk Assessments as a Service

    Posted 08-23-2021 09:20 AM
    Look at TruSight.  Used them in a pilot program.
    Original Message


  • 4.  RE: Risk Assessments as a Service

    Posted 08-23-2021 09:59 AM

    You might look at CyberGRX.  They perform detailed risk assessments of companies and then store those assessments to share with additional requestors. Their assessment includes not just questionnaires, but review of actual evidence (screen snaps of systems, policies, etc.). Their Tier 1 assessment is a brutal 1100 questions across security, privacy, and compliance.

     

    If you're looking at scorecards, check out Bitsight, Panorays, Risk Recon, and Security Scorecard. These are the leaders in the Forrester New Wave report on "Cybersecurity Risk Ratings Platforms" Q1 2021 – one of these vendors is distributing the report. We are reviewing them to add to our procurement process. Please be aware that all of these Cyber platforms rely upon external scans of the IP address ranges of the target companies. Therefore they don't measure a company's actual internal risk management, privacy, or security compliance. I would use their scores as only a portion of analysis of the vendor for this reason.  KW

     

    Kate Wakefield CISSP, CIPT, CRISC

    Sr. Manager Security Compliance

     




    Original Message


  • 5.  RE: Risk Assessments as a Service

    Posted 08-23-2021 11:01 AM

    Richey May has performed services like this for our organization.

     

     




    Original Message


  • 6.  RE: Risk Assessments as a Service

    This message was posted by a user wishing to remain anonymous
    Posted 08-23-2021 01:36 PM
    This message was posted by a user wishing to remain anonymous

    Hello, 
    One of the firms that I'm familiar with is:  TeePee Vendor Risk Management As A Service.  Inserted please find the vendor's link to their home page.

    Teepee
    Original Message


  • 7.  RE: Risk Assessments as a Service

    Posted 08-23-2021 01:38 PM
    Actually, Venminder offers stand-alone assessments that don't require the use of our TPRM software. These range from financial health, contract reviews, and general vendor vetting, to reviewing SOC reports, and controls around resiliency, privacy, and security. A library of vendors and their ratings can be accessed through our free exchange or samples can be seen by requesting them here. We've tiered our assessments to fit different client TPRM process needs and to fit different risk levels of vendors. I lead the team performing the technology assessments so feel free to message me directly if I can assist.

    Original Message


  • 8.  RE: Risk Assessments as a Service

    Posted 08-23-2021 04:07 PM
    Venminder can do this, and you don't have to use their software. I believe they can do reviews focused on cyber, SOC reports, financial health, BC/DR, etc. They also have a partnership with Bitsight/SecurityScorecard, so they may be able to help you there as well.
    Original Message