Third-Party Risk: Manage Vendors & Compliance
      Back to home
      1. Trustero Support
      2. Phase 1: Define Audit Scope & Risk Profile
      3. Third-Party Risk: Manage Vendors & Compliance

      Vendor Management FAQs

      Vendor Management frequently asked questions and answers

      Best practices and a procedural template for using Trustero’s Vendor Management feature are found in: Vendor Risk Management Overview and Guidance

       

      1. Q: What's the background on the Trustero Vendor Management feature?
        A: Vendor Management Announcement

      2. Q: What are the risk tiers in the Vendor Management feature?

        A: Here's how Trustero helps you organize your vendors by risk tier:

        Tier 1: Highest risk exposure, common for cloud providers and critical infrastructure.
        Tier 2: Substantial risk exposure, use this for systems that help you do work but would not cause downtime.
        Tier 3: Low risk exposure, common for systems with limited access to business critical data, such as Applicant Tracking Systems.
        Tier 4: Least risk exposure, with almost no access to sensitive data or important infrastructure. For example, an online training platform.

      3. Q: Is it ok to upload attestations to Trustero? We have to sign an NDA for many of these and aren't sure if we can share them externally.

        A: Most NDAs for attestations specifically allow sharing them with 3rd parties that help with providing feedback, analysis, organization, etc. Check your NDAs to make sure they allow this before uploading.

      4. Q: Can we attach a link to an attestation, which leads to an internal location?
        A: Trustero doesn't currently support externally hosted attestations.

      5. Q: What is the risk of using a vendor that doesn't have an attestation? 

        A: If it's a critical vendor, then not having an attestation means you should probably find another way of assessing the risk of relying on them. Having an attestation typically raises the level of assurance that you have about a vendor. Without one, you might want to explore other ways of making sure you are properly managing the risk of relying on the vendor. If it's a lower tier, then an attestation may not be necessary. 

      6. Q: Do all vendors require an attestation? Or only certain risk tiers?

        A: Trustero recommends getting attestations or performing another form of risk assessment on tier 1 and tier 2 vendors. 

      7. Q: Where can I find attestations for my vendors? 

        A: Links to the location of attestations for common vendors are listed in this resource.

      8. Q: What control does this tie back to and will the evidence automatically populate?

        A: The vendor management feature relates to control SR01 in the Trustero control set. Today there are no automatically created links between the control and the vendor management feature. We plan to more fully integrate this in the future.