Overview

Conducting a Vendor Security Review is not only crucial from the perspective of the vendors but also holds significant importance from your customer's perspective. Especially for critical business applications, where customer data may be shared on the vendor platform, maintaining stringent security measures becomes paramount.

To uphold alignment with your organization's security policy and ensure high-security standards, adopting a periodic review process for existing vendors and implementing a mandatory review for all new vendors is considered best practice. This approach helps safeguard sensitive data, build trust with customers, and fortify the overall security posture of your organization. Prioritizing vendor security assessments is a strategic and proactive measure to protect valuable assets and foster a secure business environment.

We will learn how to run vendor security review with Spendflo in this article

Initiate the Security review

To initiate a security review process for existing vendors, access the Security Hub and navigate to Vendor Risk Assessment. Simply click on the "Start Vendor Review" button to commence the review for the selected vendor.

If you have enabled the Vendor Trust then the security review process is automated for new procurement requests, and a review will be automatically generated. You will receive a notification via email for the newly created review. You can also find the existing reviews conveniently on the same page within the Security Hub for easy access and management. Learn more on how to start a Security process from the guide here

Assign a Procurement Owner

The procurement owner is someone who is responsible for procuring the software. They ensure that the software procured is compliant with all the security and privacy policies of the customer’s organization. 

There are 3 places where you can add a procurement owner depending on how you have initiated a security review. 

1. During order intake

At the time of order intake in the vendor review section, a requester can assign the owner

2. Request details page

If the requester is not sure of the procurement owner, at the time of order intake, then they can update the procurement owner after submitting the request from Buying Hub>Requests>Request details page of the. App

3. Vendor Risk Assessment page

The procurement owner can also be assigned from the Vendor Risk Assessment page

Procurement owner sign-in to Spendflo

Once a procurement is assigned to a procurement owner, they will be notified via email about the procurement. The email will nudge them to take begin the vendor due diligence process. When the procurement owner signs in to Spendflo using the link in the email notification, they will land on the vendor review page. 

On the vendor review page, the procurement owner can complete the security review by kicking off three key tasks. They can also view the linked procurement request from the vendor review page

Invite Reviewers

1. The procurement owner can invite other individuals to collaborate on the vendor evaluation. The reviewers can be across functions - finance, legal, infosec or IT. 

2. When a reviewer is assigned to a procurement, they will be notified via email about the procurement and asked to sign-up/sign-in to review the procurement

3. When the reviewer signs in to Spendflo via link in the email notification, they will land in the vendor review page.

4. Vendor review page allows the reviewer to evaluate vendor responses, share red flags with the vendor, lock the questionnaire or conclude the review. 

Add Account Executive

1. Vendor account executives are individuals who are the point of contact at the vendor organization for all security review activities. 

2. They are expected to share all the required documentation regarding the vendor organization and the software. This will enable the procurement team at the customer org to evaluate the procurement. 

3. Fill in the email details of this particular procurement’s account executive. The security questionnaire and requests for documents will then be sent to the vendor’s account executive via email.

Request documents

The procurement owner can request the vendor for the documents required to complete the security reviews. This feature can also be used to share any forms, documents and information that the customer wants with the vendor. 

Send Questionnaire 

The procurement owner can send a questionnaire to the vendor for evaluation. When the user clicks on the button Send Questionnaire, a pop-up appears which will ask them to choose the questionnaire they would like to send.

The user can either select the Spendflo standard questionnaire or import their own custom questionnaire.

1. Standard Questionnaire

If the user selects, the Spendflo Standard Questionnaire option, they can preview the spendflo created all-exhaustive questionnaire before sending it to the vendor account executive.

2. Custom Questionnaire

If the user chooses the Import Custom Questionnaire option, then they will be presented with a modal to import the questionnaire. The questionnaire file type should be in csv only and should adhere to the format of the sample questionnaire which can be downloaded for reference by clicking on the link Download Sample CSV.

Once the user imports the questionnaire, they can preview it before sending it to the customer.

Review Custom Questionnaire

1. After importing the custom questionnaire, the user can delete any questions in the review screen by clicking on the delete icon on the right corner of the question. '

Once a question has been deleted, it can not be undone.

2. If the user wishes to add or edit a question on the questionnaire, they can do so on the CSV file outside Spendflo and upload a different file with the edits. We currently don't support editing or adding questions within the platform.

3. If the user wishes to replace the current CSV file, they need first to delete the existing file and upload a new one.

Vendor receives the request

Once you send the questionnaire and document request, the vendor will receive an email with instructions to access the Vendor security review in Spendflo App, they can signup/or login to the app to start sending the responses. For help article for Vendor's side of Spendflo Security process, refer to the guide here.

Review vendor submission (Procurement owner + reviewers) 

1. Once the vendor account executive uploads the documents and responds to the questionnaire, the procurement owner and the reviewers can evaluate it on the vendor review page. You will see the documents attached and "review vendor responses" as a sign that vendor has reverted back with a response

2. The procurement owner and reviewers can download the attachments and view the questionnaire's response. 

3. During the questionnaire evaluation, the evaluation team can either accept the vendor response or flag the response for further clarification. 

4. Once the procurement team has completed the evaluation, the procurement owner can share the flags with the vendor and seek additional information for those flags.

5. When the vendor account executive responds to those flags, the procurement team will be notified and they can resume their evaluation again. 

Concluding review

Once the procurement team has evaluated the submission of the vendor, the procurement owner can conclude the review by clicking conclude review button on the vendor review page. 

Only the procurement owner can conclude the review.

If there are no flags during the evaluation, the review owner can approve or reject the procurement directly. However, if the procurement team raises flags, then the procurement owner can either reject or escalate the procurement for residual risk sign-off

Risk acceptance and residual risk owner

When the procurement team believes that there are a few residual risks remaining, they have the option to send the procurement for risk acceptance sign-off. The person who provides the risk acceptance is called the residual risk owner. The residual risk owner may be either the CEO/ CFO/ CSO or sometimes the head of the department which requested the software

The procurement owner can send the procurement to the residual risk owner along with their comments. 

The residual risk owner can go through the submission and arrive at a decision to either approve or reject the procurement. 

Please note that the same individual cannot be a residual risk owner and a procurement owner.

Audit Log/Trail

All the actions performed on a particular security review are preserved in Spendflo under the “Audit Log” under the security review page of the vendor.