VRM Basics
This is the first step in onboarding a vendor before granting access.
What is due diligence?
This type of vendor risk involves system downtime or service interruptions.
What is operational risk?
This is the goal of continues monitoring in VRM.
what is to get clean data in Onspring
GDPR, HIPAA, and PCI-DSS are all examples of these.
What are regulations/standards?
If a vendor ghosted you after onboarding, you'd say they are worse than this kind of ghost.
What is Casper?
True or False: All vendors pose the same level of risk.
What is False?
A vendor storing your customer data would fall under this type of risk.
What is data privacy risk?
IN continuous monitoring, vendors are usually checked this often.
What is daily, weekly, or monthly (depending on risk level)?
If a vendor suffers a data breach, they are required to do this immediately.
What is notify their customers/partners?
The number of cups of coffee needed before risk analyst start their day.
What is infinite (or at least 2)?
This document is often sent to vendors to assess their security posture.
What is a questionnaire?
A risk that comes from breaking the law or regulatory rules.
What is compliance/legal risk?
Continuous monitoring tools can send this type of early warning.
What is an alert?
This type of assessment is typically renewed every 12 months.
What is a vendor risk assessment?
VRM is a lot like dating- this is what you should always do before committing.
What is background check/due diligence
The process of offboarding a vendor helps prevent this type of lingering access risk.
What is Unauthorized access?
This type of risk is the hardest to quantify but could ruin a company's image overnight.
What is a reputational risk?
An analyst like Nathan verifying vendor issues is an example of this type of control.
What is detective control?
Regulations expect vendors to have this kind of agreement before handling data.
What is a data processing agreement (DPA)?
The one thing every vendor swears they are totally compliant with even if they aren't.
What is a SOC 2?
Acronym time! VRM stands for this.
What is Vendor Risk Management?
The risk occurs when a vendor hires another vendor without telling you.
What is 4th party risk?
This scorecard is often used to track vendor risk changes over time.
What is a risk rating or risk score?
SOX, GLBA, and FFIEC mostly apply to this type of industry.
What is financial services?
If VRM had a mascot, it would probably be this animal- because its always watching.
What is an Owl?