Vendor Risk allows you to monitor the security posture of your vendors, and work with them to remediate cyber-related risks.
The Vendor Risk module of the CyberRisk platform is where you’ll find all the information and tools to track, assess and communicate with the vendors that comprise your supply chain. The module allows you to monitor the Internet-facing risk posture of existing or potential vendors, send and analyze security questionnaires, and request and follow up on risk remediation requests.
The Monitored Vendors section of the Vendor Risk module allows you to discover and track the external risk posture of potential or existing vendors. The monitored vendors page lists the vendors you are currently monitoring. Information includes the vendor’s name, the primary domain name associated with that vendor, the current CSR score for that vendor, a score trend over the last 30 days and any labels assigned to that vendor.
You are allowed to continuously monitor up to and including the licensed number of vendors in your subscription and you can interchange vendors at any time within this quota. If you mark the vendor with the special label in-use, this monitored vendor’s score will contribute partially towards your overall CSR score. For more information about how in-use vendor scores contribute to your CSR score, please view our guide on How is my CSR Score Calculated?.
Monitoring and Following Vendors
Please view our guide on How to Add a Vendor.
If you would like to view the external risk of a vendor without continuously monitoring them you can generate an Instant Report for that vendor. Your instant report quota is the same as your monitored vendors quota and an instant report for a particular vendor is available for 30 days after first request, until the slot is returned back to your available instant reports quota.
You can track how many instant reports you have requested this month from the status bar of the top of the Monitored Vendors page, and you can view currently available instant reports from the same status bar.
Labels and Relationships
Labels can be assigned to monitored vendors to allow you to further group and classify our relationship with these vendors. We provide some common in-built labels that we encourage you to use based on how the vendor interacts with your cyber assets. The in-use label can be applied to a monitored vendor to have their CSR score factor partially into your overall CSR score.
Labels assigned to a vendor are listed next to the vendor on the Monitored Vendors page and also in the top status bar when viewing the risk profile of an individual vendor.
To add, modify and assign labels, click on the checkbox to the left of a vendor’s name.
Then, when the bottom bar appears, click Labels & Relationships to display a list of all existing labels, those currently applied to this vendor and a search bar where labels can be located easier, or new labels can be added and assigned to this vendor. Multiple vendors can also be selected using their corresponding checkboxes.
Clicking the pencil icon in the top right corner of this menu will take you to a page where you can add, modify and remove your custom labels with more control.
Once labels have been applied to monitored vendors, you can use these labels to view a subset of your vendors based on assigned labels. By default, no filters are applied to your monitored vendors list. To apply a filter, access the filters panel by clicking Filters at the top of the Monitored Vendors page.
Select one or more labels you would like to filter by, then click Apply to filter the monitored vendors list by these labels.
When filters are being applied to the list of monitored vendors, the selected labels will appear in the top bar, as shown below.
To modify the selected labels applied to a filter, click on the Filters button at the top of the page to view the filters panel again. To reset all applied filters and show the entire list of monitored vendors, select Clear Selectionon the filter panel.
You can also filter by vendors that have no label assigned. This is particularly useful when first classifiying vendors into groups, or when adding new vendors into the system. On the filter panel, select Unlabelled under the Custom Labels section, then click Apply.
Note: The unlabeled filter only applies to vendors that have no assigned label. This does not include the Relationships that can also be assigned to vendors.
The UpGuard CyberRisk platform allows you to request that your vendors remediate certain identified risks. There risks can either be from the external web risks of a vendor, or from answers to completed security questionnaires.
Please view our guide on How to Request Remediation.
Monitoring the Progress of a Request
Current remediation requests can be viewed from the Remediation page under the Vendor Risk module, or under the Remediation section of a particular monitor vendor. Clicking on a remediation request will display the details and progress of the request.
Here, we have requested that one of our vendors correct the mismatch between the hostname of a domain and the assigned SSL certificate. Five domains are currently incorrect and as the vendor fixes this particular risk for these five domains, the progress will be automatically updated here via our regular scanning of these domains. You can also correspond directly with the request recipient via the correspondence section of this page.
The UpGuard CyberRisk platform allows you to request and manage the completion of security questionnaires assigned to your vendors. Current outstanding and completed questionnaires can be viewed under the Questionnaires section of the Vendor Risk module, or under the subsection for a particular vendor in the side navigation bar.
Clicking on the name of a questionnaire will display a more detailed status and progress of the questionnaire, a summary of any actions and reminders, and a place to undertake correspondence with the contact at the vendor.
Sending a Questionnaire
Please view our guide on How to Send a Questionnaire