How to log, classify and manage your third-parties in Vanta
Vendor management in Vanta
OVERVIEW
Vendor management is an important part of every information security and compliance program. Where you use third-party software, cloud infrastructure, and other services, you may have a critical reliance on those vendors supporting your security and compliance. Vanta provides powerful automation to support vendor management.
💡Tip: Take the time to scope and risk score your vendors; this will best align your efforts and save a lot of time and hassles in your audits and compliance!
STEP 1: SCOPE YOUR MATERIAL VENDORS
You can start with a guided tour or go directly into Vanta's vendor discovery section. Vanta's vendor risk management automatically identifies vendors in use that you can easily hover over to select "Add vendor" to your vendor register. Ensure you include all vendors that collect, store, or otherwise process any sensitive data, as well as any that you have a material business dependency on. Any that are not automatically identified can be added in the managed vendors page through the top right "Add vendor" option.
💡Tip: Consider whether all third-party services need to be included. A shorter list allows for greater focus and prioritisation when monitoring and managing them.
Common vendor types
- Infrastructure provider(s) - Eg. AWS
- Code repository - Eg. Github
- Authentication and SSO software - Eg. Okta
- Identity / workspace software - Eg. Google Workspace
- Enterprise password manager - Eg. 1Password
- CRM - Eg. Hubspot
- Workplace communications - Eg. Slack
- Knowledge management provider - Eg. ClickUp
- Compliance management - Eg. Vanta
STEP 2: CONFIRM OR ADJUST THE RISK RATINGS
Vanta helpfully auto-scores an inherent risk rating based on the types of data processed, the business criticality, integration and communication access. You can adjust the defaults of these factors to auto-update the score rating, or turn off auto-scoring to set your own inherent risk rating.
💡Tip: Ensuring the risk rating fits your context and risk profile can reduce the scope of your security reviews to save significant time and prioritise efforts on higher risk third-parties
STEP 3: COMPLETE SECURITY REVIEWS
For any vendors where the risk rating is High or Critical, complete a security review. Reviewing those vendors SOC 2 reports are the best practice, but it can be easier to obtain SOC 3 reports as they are published without requirements for non-disclosure agreements and other formal requests for access. For vendors without compliance reports; you can use a security questionnaire, such as Vanta's template. Document your findings to summarise why you are satisfied with use of this vendor to complete with an approved rating, or conditionally approved or not approved if there are adverse findings that need to be addressed by the vendor.