In today's organizations it is not uncommon to have dozens — even hundreds — of mission critical vendors supporting day to day operations. Taking time to reassess their risk and impact is important.
At Range we use Vanta to automate our compliance processes, including the tracking and monitoring of vendors. Here, Vanta's CEO Christina Cacioppo shares a template for an annual vendor review.
This template is designed to be used for a single, high-risk vendor. It is a working meeting where those responsible for vendor management work with the stakeholder responsible for the vendor to gather information and assess the risk.
1. Roll call
Make note of the vendor you are assessing and who is attending the meeting.
2. Review actions
Review and resolve any actions from the last audit.
4. Past issues or concerns
Were there any issues with the vendor, for example SLA violations, breaches, incidents, etc.
Add topics to the agenda for deeper discussion.
Gather evidence of SOC2, ISO27001, PCI AOC, HIPPAA, etc.
6. Data Inventory
What data is the vendor storing and/or processing?
7. Security questionnaire
Review responses to any security questionnaires we sent, determine if any follow up actions need to be taken.
Review the Vendor Risk Assessment, Privacy Impact Assessment (PIA), Transfer Impact Assessment (TIA), if applicable.
Are we/they compliant with regulations? (GDPR, CCPA, HIPAA, etc.)
Do we have current contracts with appropriate language? (i.e. BAA/DPA/SCC)