Edit: Secureframe Vendor Risk Management is now renamed to Third-Party Risk Management to better reflect its comprehensive approach to managing all third-party vendor risks.

With increasing dependencies on third-party vendors across organizations’ tech stacks, managing vendor risk is crucial to safeguarding sensitive data and maintaining a strong security and compliance posture. 

To address this challenge, we are thrilled to announce upcoming enhancements to Secureframe Vendor Risk Management (VRM), including an expansion of our AI functionalities with Comply AI for VRM, designed to streamline the management of third-party vendor risks. Secureframe VRM provides tooling for complete third-party vendor management (TPRM), simplifying the process of identifying, mitigating, and continuously monitoring risks associated with vendors. 

Centralized Vendor Risk Management

A robust vendor risk management program requires organizations to put formalized processes in place for managing risk throughout the entire vendor lifecycle. This can include reviewing vendor compliance reports and attestations of compliance, requesting vendors to complete a vendor security questionnaire, and managing results. 

Secureframe VRM simplifies the entire vendor risk management lifecycle. Through our centralized platform, you can conduct thorough vendor risk assessments by reviewing compliance reports, attestations, and security documents. Users can manage these processes seamlessly from start to finish—from initial assessments and ongoing monitoring to vendor offboarding—thereby minimizing risks and maintaining compliance throughout all vendor interactions.

Vendors in Secureframe can be found under the “Vendors” tab, where you can view all active and archived vendors along with their associated risk levels. Each vendor's profile includes information about vendor services, account manager, and security compliance details like types of authentication, audit report findings, and more to help categorize and manage vendors efficiently.

Secureframe helps uncover shadow IT by automatically detecting apps accessed by employees via Single Sign-On (SSO) if employees are using their email addresses to access services not on the vendor list, ensuring that your active vendor list stays up-to-date. For those not using SSO or needing to add extra vendors, vendors can be added individually or in bulk via CSV. 

Admins can evaluate a vendor's risk level based on the data and environments the vendor accesses. All documentation, including compliance reports, contracts, and policies, can be attached directly to the vendor's profile for easy reference, and admins have access to vendor history logs. 

Continuous Monitoring and Reviews

Ongoing monitoring is key to maintaining a secure vendor ecosystem. Secureframe VRM enables full visibility with recurrent reviews. Users can set up custom security review question templates to ensure consistency in evaluations. Admins can organize and schedule vendor reviews based on criteria like risk levels and categories, ensuring regular assessment of each vendor's security posture and more frequent reviews for higher risk vendors.

They can also automate tasks, notifications, and reminders for upcoming vendor reviews through integrations with tools like Slack and Jira, or add comments and flag findings on any documents specific to a vendor review. 

When changes are made to the vendor, Secureframe keeps detailed logs of all vendor interactions and modifications over time for audit and tracking purposes. All of these features ensure that the right stakeholders are vigilant about regular security reviews and documentation.

Seamless Vendor Security Review with Comply AI for VRM

To further automate the process of vendor risk management, we’re excited to introduce Comply AI for VRM, which leverages AI to automate the collection of relevant data from vendor documents like SOC 2 reports. 

Comply AI for VRM streamlines the security assessment process by automatically extracting answers from documents, saving users time and reducing manual effort, and enhancing the efficiency of security reviews. Comply AI for VRM will work as follows:

• Upload vendor documentation like SOC 2 reports, policies, etc. to a vendor profile in Secureframe
• Create or use a Secureframe-provided template for security review questions
• Conduct a one-time or recurring vendor review
• Use Comply AI to extract relevant content from documentation, to answer security review questions such as those around data privacy, data retention, security processes
• Comply AI will run and populate answers
• Review the answers for accuracy
• Complete the security review

Customize Your Vendor Risk Program

Flexibility and customization are key for organizations with complex vendor management requirements. Customers now have the ability to tailor their vendor risk management program with custom scores, tags, departments, and risk assessments to better align with their organizational needs and existing risk frameworks.

Get Started Today

Secureframe’s VRM module provides tools to create a safer and more compliant vendor ecosystem. By centralizing and automating the vendor review and risk management process, Secureframe VRM not only saves time but also bolsters your organization's capabilities to prevent third-party data breaches and maintain compliance. 

To learn more about Secureframe VRM and Comply AI, or to see these solutions in action, schedule a demo with our compliance experts today.  Don't miss the chance to get your questions answered in person at RSA — schedule a meeting with a team member or visit Booth #6573 in Moscone North Expo.