Gartner defines Vendor risk management as follows: IT GRC (Governance, Risk and Compliance) technology can help organize survey data and responses from partners, vendors and others to prioritize vendor risk against security and other IT-related requirements. However, vendor risk management is typically done using emails and spreadsheets, making it tedious, time-consuming and decentralized.
QualysGuard’s new customizable questionnaire service streamlines vendor risk programs by providing a centralized, secure and easy-to-deploy solution for vendor classification assessment, risk assessment and the approval of vendors based on their respective criticality. QualysGuard Questionnaire simplifies each of these steps by providing an efficient way to: Classify vendors by identifying the type of information shared with the vendors, such as Personal Identifiable Information (PII), Protected Health Information (PHI) and credit card information; assess the vendor risk by launching tailored assessments based on the vendor criticality; and track progress to finally reject or approve vendors.
This allows customers to better manage their vendor security programs by making it transparent, consistent, accountable and repeatable, while proving compliance across multiple regulations or standards such as ISO 27002 Section 10.2, FFIEC and GLBA IT Security Handbook, HIPAA or PCI DSS 2.0.
The new service provides:
Questionnaire responder interface that offers subject matter experts, an easy-to-use set of tools to quickly and efficiently assign and complete questionnaires, including evidence attachment by drag and drop, and quick delegation of questions, sections or even entire questionnaires.
Visual Questionnaire designer, which provides analysts an intuitive user interface to visually design a questionnaire and define requirements for evidence, comments or asset attachment.
Assessment workflow that includes the ability to automatically send assignments or reminder emails to questionnaire respondents, track progress and quickly identify non-active assessments.
Dashboards and reports providing insight into progress, compliance and risk posture for a single assessment or across a defined set of assessments.
Integrated library of 500+ regulations, standards, guidelines and best practices via the leverage of the Unified Compliance Framework (UCF), and the ability to automatically build a single questionnaire encompassing multiple regulations or standards such as the one provided by Shared Assessment program: SIG and AUP.
“Our new customizable questionnaire service extends QualysGuard’s capabilities for mapping and scanning, with an easy-to-use and cost-effective cloud-based approach to manage non-IT controls with support for authoring, distributing, completing, collecting and documenting surveys,” said Philippe Courtot, chairman and CEO of Qualys. “This helps organizations to streamline and expand their vendor risk assessment programs.”