Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Governance, Risk, and Compliance
Table of Contents
Choose your release version
    Home Orlando Governance, Risk, and Compliance Governance, Risk, and Compliance Vendor Risk Management Manage vendor risk assessments

    Manage vendor risk assessments

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Manage vendor risk assessments

    The vendor primary contact uses the Vendor Portal to view all assessments. Before the vendor risk manager closes the assessment, issues and tasks are created on-demand, usually during the Generating Observations state. The vendor risk analyst assigns vendors as needed and communicates using comment streams to achieve closure on non-compliance.

    Vendor Risk Assessment workflow

    1. The vendor risk manager creates internal and external assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow.
    2. The vendor risk manager prepares and sends the vendor risk tiering assessment to internal stakeholders.
    3. Internal stakeholders complete and submit the assessment.
    4. After receiving the completed vendor tiering assessments, the vendor risk assessor updates and closes the vendor risk tiering assessment.
    5. Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or vendor tier.
    6. The vendor signs into the Vendor Portal to complete the risk assessment.
      • The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. After other collaborators are identified, the primary contact submits the assessment.
    7. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary.

    Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed. Accepting an issue means you create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.

    Vendor Assessment Portal

    The vendor assessment portal is a web interface providing a primary point of interaction for vendors and risk assessors, with a centralized workflow for those involved in the assessment. All remediations that result from those assessments are also coordinated through the vendor assessment portal.
    Vendor Assessment Portal - Assessments
    Starting with GRC: Vendor Risk Management v10.0.2, a new version of the Vendor Assessment Portal (GRC: Vendor Portal v10.0.2) is automatically loaded as a dependency application. The new version becomes the default version of the portal and operates exactly the same as the previous version, except it offers new features, such as electronic signatures on assessments. A system property (sn_vdr_risk_amt.vendor_portal_endpoint) allows you to continue to use the legacy version if you want; however, you will not be able to use the new features.
    Note: For upgrade information, see GRC: Vendor Risk Management v10.0.02 upgrade details.

    To customize the vendor assessment portal, navigate to Service Portal > Portals, and click Vendor Portal. See Now Platform Service Portal for more information.

    Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.

    Role Purpose
    Vendors Use the Vendor Assessment Portal to:
    • View and respond to current assessments.
    • Delegate responses to other contacts.
    • View or update contact information.
    • Update notification preferences.
    • Change a password or request a new password.
    Vendor risk assessors Use the Vendor Risk Management application to:
    • Create a login for a new contact.
    • Enable or disable a contact login.
    • Reset a password for a contact.
    • Assign a user role to a contact.
    • Assign a contact to an assessment.
    • View and update customer contact information.
    • Access completed assessments.

    Create a vendor risk assessment and initiate the life cycle

    The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor risk assessments can be created on-demand or from a repeating assessment. When creating an on-demand vendor risk assessment, select the questionnaire template or document request template, and the vendor. Also, vendor risk managers can select multiple vendors at a time and automatically trigger vendor risk assessments.

    Before you begin

    Role required: vendor risk manager or vendor risk assessor

    Procedure

    1. Navigate to Vendor Risk > Assessments > All Assessments.
    2. Click New.
      Vendor Risk Assessment
    3. On the form, fill in the fields.
      Table 1. Vendor Risk Assessment form
      Field Description
      Name The name of the vendor risk assessment.
      Description A more detailed explanation of the issue.
      Number Read-only field automatically populated with a unique identification number.
      Applies to Select Vendor or Engagement.
      Engagement Select the engagement being assessed. This field is visible only if you selected Engagement from the Applies to field.
      Repeating assessment The assessment used to create the current assessment.
      Assessment template If you want to use one assessment template to create questionnaires or document requests for this assessment, select the one you want to use.

      If you want to use multiple templates to create multiple questionnaires or document requests for this assessment, leave this field blank.

      Owner The owner of this assessment.
      State
      • Draft
      • Submitted to vendor
      • Closed
      • Canceled
      Risk rating The overall risk rating for this vendor.
      • Critical
      • High
      • Moderate
      • Low
      • Minor
      Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
      Risk rating valid to The date the risk rating expires. This date must be later than the Risk rating valid to date on any associated questionnaires or document requests.
      Trigger by vendor tier Initiate this assessment when the vendor tier changes.
      Watch list Add users to be notified when this record is modified.
      Risk Scoring
      Computed risk rating Shows an average of the vendor risk area risk ratings.
      Override risk rating Allows you to override the computed risk rating for the vendor. When checked, any future changes made to the assessment risk rating will affect only the computed risk rating, not the risk rating. If the check box is selected and then you deselect it, the computed risk rating is copied back to the assessment.
      Overridden risk rating If you selected Override risk rating, enter the new risk rating.
      Justification If you selected Override risk rating, you must enter a reason for the override.
      Assessment Schedule
      Planned duration (days) Estimated duration period of the assessment
      Planned start date Planned start date and time for work on the vendor risk assessment.
      Planned end date Planned completion date and time fort work on the vendor risk assessment.
      Created by Shows the user who created this record.
      Created Shows the date/time the record was created.
      Actual duration The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date.
      Actual start date Date and time that work on the vendor risk assessment began.
      Actual end date Completion date and time for the vendor risk assessment.
      Updated Shows the date/time when the record was last updated.
      Questionnaire Schedule
      Planned duration (days) The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date.
      Review duration (days) The review duration given to customer to review all the questionnaires.
      Due date Deadline for vendor to answer all the questionnaires.
      Completion date The actual date when vendor completed all the questionnaires.
      Submitted to vendor The delivery date for vendor questionnaires.
      Resubmitted to vendor The date questionnaires are resent to the vendor.
      Responses expected by The date the vendor is expecting the responses.
      Notes and Comments
      Work notes Information about the vendor risk assessment. Work notes are visible to users assigned to the issue.
      Additional comments (Customer visible) Public information about the vendor risk assessment.
    4. Save the record. Additional related lists appear.
      Assessment related lists
    5. If you left the Assessment template field blank and want to use assessment templates to associate multiple questionnaires and/or document requests with this assessment, scroll down to the Questionnaires or Document Requests tabs.
    6. To associate existing questionnaires and/or document requests with the assessment, perform the following steps.
      1. Click the Questionnaires or Document Requests tab, depending on the type of questions you want to associate with the assessment.
      2. Click Edit.
      3. Select the questionnaires or document requests you want to use, then click Save.
      4. Repeat for the other type of questions, if needed. That is, if you associated questionnaire templates to the assessment and also want to associate document request templates, click that tab and repeat these steps.
    7. To create new questionnaire and/or document request templates and associate them with this assessment, see Manually define a questionnaire template or document request template.
    8. Click Submit to Vendor.
      The state of the assessment changes to Submitted to Vendor, the templates you selected automatically generate questionnaires and/or document requests, and the primary vendor contact receives an email notification, along with a link to the assessment in the Vendor Portal.
    9. When the vendor contact is ready to respond to the assessment, he or she clicks the email link to open the assessment in the Vendor Portal. Working with an assessment in the vendor portal
      Note: As you can see, one of the questionnaires shown above requires a signature. The vendor or reviewer must save and e-sign the questionnaire or document request before it can be returned to the vendor risk assessor. For more information, see Approve questionnaire assessments or document requests with e-signatures.
    10. The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary.
      For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor).
    11. The vendor assessor moves the assessment to Closed state.
      The vendor risk assessor works with the vendor through the vendor portal to close the assessment.
      Vendor risk assessment life cycle

    Approve questionnaire assessments or document requests with e-signatures

    When questionnaires or document requests are configured to require electronic signatures, vendors and/or reviewers must provide e-signatures during the approval process.

    Before you begin

    Role required: vendor risk manager or vendor risk assessor

    Procedure

    1. After a questionnaire or document request has been submitted to the vendor, the vendor risk manager or vendor risk assessor receives an email notification that includes a link to the record. Click the link to open the questionnaire or document request.
      Save and Sign
      Note: Notice that a signature is required for the Sample questionnaire. Open the questionnaire that requires a signature.
    2. Scroll down and complete the questionnaire or document request.
    3. When you have answered the questions, click Save and Sign. The Sign to Complete dialog box opens.
      Sign to complete
    4. Either type your name in the Type tab (as shown), or click the Draw tab and provide a free-form signature with your mouse.
    5. After you have provided your signature using either method, click Sign to Complete.
      Electronic signature
    6. If you want to make any modifications to the answers in the questionnaire or document request, click Make Changes. The signature is removed and you must sign again.
    7. When you have completed and signed the assessment, click Exit, and complete any additional questionnaires or document requests in the assessment.
      Note: If any of the questionnaires or document requests in the assessment require e-signatures and have not been signed, you cannot submit the assessment.
    8. When you have completed all questionnaires or document requests in the assessment, click Submit Assessment. The state of the assessment changes to Response Received, and all the risk scores are calculated automatically.
    Related tasks
    • Manually define a questionnaire template or document request template

    Review assessment responses and resubmit questions to the vendor

    Vendors use the vendor portal to complete assessments and collaborate with the vendor risk manager through the comments section.

    Before you begin

    Role required: sn_vdr_risk_asmt.vendor_assessor

    About this task

    When assessments reveal gaps, issues can be generated automatically or manually. If the vendor risk manager or assessor decides that an assessment response is unsatisfactory, they can return the assessment to the vendor by resubmitting a particular questionnaire or document request. Incorrect answers to questions can automatically generate issues or issues can be generated manually from the question. Vendor contacts can identify resubmitted questionnaires and document requests within an assessment by reviewing the external comments on the vendor portal.

    Procedure

    1. Navigate to Vendor Risk > Assessments > My Open Assessments.
    2. Open an assessment in the Responses Received state.
    3. In the Questionnaires or Document Requests tabs, click View Responses.
      view response link highlighted
    4. Add comments to the questions and make the following selections, as necessary:
      • Select Show Follow-ups.
      • Select Show incorrect and un-scored responses.
      • Select Hide comments.
      • Select Include this question when creating an issue.
      • Enter information in the Internal comment .
      • Select Comment for vendor and add information.
    5. After adding comments, perform one of the following:
      OptionDescription
      To generate issues associated with each question Click Create Issue.
      Note:

      A message with the issue number displays: The issue VRI0003001 has been created successfully.

      To resubmit the assessment to the vendor Click Return to Vendor
      Note:
      If the assessment schedule might be impacted, you can extend the days by adjusting the number in the following message window:
      return questionnaire message asking for an extension of days to complete

    Open an assessment in the vendor assessment portal

    Starting in Version 10.1, the Vendor Assessment Portal restricts assessment information available depending on the type of contact accessing the portal. New capabilities are available to primary and secondary contacts.

    Before you begin

    Role required: vendor contact

    Procedure

    1. Log in to the vendor assessment portal through https://myCompany.service-now.com/svdp. The Assessment Summary dashboard opens.
      Vendor Assessement Summary
    2. Vendor and engagement contacts (both primary and secondary) can view assessment information in the following ways.
      • Since engagements are services or products associated with (or offered by) the vendor, engagement contacts cannot view the assessments in the Vendor section. They can view only assessments in the Engagements section.
      • Primary vendor contacts and primary engagement contacts can assign new primary contacts from the dashboard. For example, the primary engagement contact can assign another user as a primary engagement contact. If needed, both primary engagement contacts can then be assigned to complete the engagement assessment.
        Assigning a new primary contact
      • Primary vendor and engagement contacts can manage their teams, adding and removing contacts, and assigning primary and secondary contact designations.
        Manage the team
        Team management
      • The following diagram summarizes the capabilities of each of the contact roles.
        Capabilities of primary and secondary vendor and engagement contacts
      Note: If a Secondary Vendor Contact is also assigned the Secondary Engagement Contact role, that individual can take engagement assessments, but cannot take vendor assessments. In that situation, the Secondary Engagement Contact role takes precedence.

    Review assessment responses in the vendor assessment portal

    After submitting an assessment, the vendor contact can view all responses in read-only mode on the vendor assessment portal.

    Before you begin

    Role required: vendor contact

    Procedure

    1. Log into the vendor assessment portal through https://myCompany.service-now.com/svdp.
    2. Click through each questionnaire and view the responses.
      Note: All responses are read-only since the assessment has already been sent back to the customer.

    Create repeating vendor risk assessments

    Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously.

    Before you begin

    Role required: vendor risk assessor

    Procedure

    1. Navigate to Vendor Risk > Assessments > Repeating Assessments.
    2. Click New.
    3. On the form, fill in the fields.
      Table 2. Repeating Assessment form
      Field Description
      Number Read-only field automatically populated with a unique identification number.
      Description A more detailed description of the repeating assessment.
      Name The name of the repeating assessment.
      Assessment template The template used to create the current assessment.
      Applies to Select Vendor or Engagement.
      Vendor The vendor that is being assessed.
      Engagement Select the engagement being assessed. This field is visible only if you selected Engagement in the Applies to field.
      Active Indicates if the current repeating assessment is active.
      Next assessment creation (months) Next assessment will be created in specific number of months after the previous assessment is closed
      Next assessment end date (months) The end date for the new assessment after the previous assessment is closed
      Assessment results valid duration (days) The number of days that the assessment results are valid.
    4. Click Submit.
    5. The Assessment Occurrences related list displays the status of all assessments and its associated risk rating.
      Repeating Assessment form

    Manage third-party security scores

    Third-party security scores help you normalize the security risk posed by doing business with particular vendors. The companies that provide the vendor metrics are referred to as providers. Providers can have its different score ranges and varying weights of consideration. Also, you can use your company's own internally generated security metrics.

    Vendor Third-Party Security Score workflow

    Security scores reflect an company's security posture. Third-party security score providers use different scales (between 0 to 1000) with a higher score indicating better cybersecurity performance. A lower score correlates to a higher risk of a data breach. The score is calculated using various factors, like application security, network security, patching cadence, vulnerability, hacker chatter, and exposed passwords.

    1. The security score provider table contains the security provider's information.
    2. The vendor risk manager monitors the scores generated by the provider for the vendors they are interested in.
    3. The vendor risk manager uses these scores when determining a vendor's tier.
    4. The vendor risk manager can initiate the vendor risk assessment or it is automatically sent using a configured business rule.

    Set up third-party vendor security scores

    You can add multiple providers and change the scoring scales for those providers. When changes are made to the provider score, those changes are also calculated into the security score.

    Before you begin

    Role required: sn_vdr_risk_asmt.vendor_assessor

    Procedure

    1. Navigate to Security Score Setup > Providers.
    2. Select a provider record or click New.
    3. On the form, fill in the fields.
      Table 3. Security Score Providers form
      Field Description
      Provider Name of the third-party score provider.
      Order The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied.
      Note: When there are multiple scores for the provider, the order is applied accordingly.
      Range from The lowest end of the scoring range of the provider.
      Range to The highest end of the scoring range of the provider.
    4. Click Submit.
      Figure 1. Security Score Providers
      Security Score Providers example
    5. Navigate to Security Score Setup > Scores
    6. Select a security record or click New.
    7. On the form, fill in the fields.
      Table 4. Security Scores form
      Field Description
      Provider Name of the third-party score provider.
      Vendor The vendor being scored.
      Provider score The score provided by the third-party provider.
      Security score The normalized security score for this vendor based on the order and weightings of the third-party providers.
      URL Link to additional information about the origin of this score, from the security score provider.
      Score generated on The date and time that the score was updated.
    8. Click Submit.
      Figure 2. Security Scores
      Vendor Risk view of Security Scores

    Update a vendor's security score

    When changes are made to a vendor's security score (from an established third -arty score update or the inclusion of another third-party provider score to the calculation), email notifications are sent to interested stakeholders.

    Before you begin

    Role required: sn_vdr_risk_asmt.vendor_assessor

    Procedure

    1. Navigate to Security Score Setup > Providers.
    2. Select a provider record or click New.
    3. On the form, fill in the fields.
      Table 5. Security Score Providers form
      Field Description
      Provider Name of the third-party score provider.
      Order The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied.
      Note: When there are multiple scores for the provider being applied, the order is applied accordingly.
      Range from The lowest end of the scoring range of the provider.
      Range to The highest end of the scoring range of the provider.
    4. Click Submit.

    Create an automatic scored-based risk assessment

    You can create rules to automate the vendor risk assessment functionality based on a change to the vendor's security score.

    Before you begin

    Role required: sn_vdr_risk_asmt.vendor_assessor

    Procedure

    1. Navigate to Assessment Submission Rules > Score Based Submission.
    2. Select a rule record or click New.
    3. On the form, fill in the fields.
      Table 6. Score Based Assessment Submission Rules form
      Field Description
      Name Name of the score based assessment submission rules.
      Basis
      The basis for the change. Choices are:
      • Percentage
      • Score
      Extent of change
      The extent of the change. Choices are:
      • Increases by
      • Decreases by
      Security score Automatically submit the risk assessement to the vendor after it has been generated.
      Score provider and vendor settings
      Score Provider The score provider for this rule.
      Apply to vendor The vendor to apply the rule to.
      Apply to vendor tier
      Select the tier scale which will automatically generate the risk assessment. Choices are:
      • None
      • Critical
      • High
      • Moderate
      • Low
      • Minor
      Assessment template and auto submit
      Assessment template The template that will be sent when the security score changes as specified in the rule.
      Auto submit to vendor Automatically submit the risk assessment to the vendor after it has been generated.
    4. Click Submit.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Manage vendor risk assessments

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Manage vendor risk assessments

      The vendor primary contact uses the Vendor Portal to view all assessments. Before the vendor risk manager closes the assessment, issues and tasks are created on-demand, usually during the Generating Observations state. The vendor risk analyst assigns vendors as needed and communicates using comment streams to achieve closure on non-compliance.

      Vendor Risk Assessment workflow

      1. The vendor risk manager creates internal and external assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow.
      2. The vendor risk manager prepares and sends the vendor risk tiering assessment to internal stakeholders.
      3. Internal stakeholders complete and submit the assessment.
      4. After receiving the completed vendor tiering assessments, the vendor risk assessor updates and closes the vendor risk tiering assessment.
      5. Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or vendor tier.
      6. The vendor signs into the Vendor Portal to complete the risk assessment.
        • The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. After other collaborators are identified, the primary contact submits the assessment.
      7. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary.

      Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed. Accepting an issue means you create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.

      Vendor Assessment Portal

      The vendor assessment portal is a web interface providing a primary point of interaction for vendors and risk assessors, with a centralized workflow for those involved in the assessment. All remediations that result from those assessments are also coordinated through the vendor assessment portal.
      Vendor Assessment Portal - Assessments
      Starting with GRC: Vendor Risk Management v10.0.2, a new version of the Vendor Assessment Portal (GRC: Vendor Portal v10.0.2) is automatically loaded as a dependency application. The new version becomes the default version of the portal and operates exactly the same as the previous version, except it offers new features, such as electronic signatures on assessments. A system property (sn_vdr_risk_amt.vendor_portal_endpoint) allows you to continue to use the legacy version if you want; however, you will not be able to use the new features.
      Note: For upgrade information, see GRC: Vendor Risk Management v10.0.02 upgrade details.

      To customize the vendor assessment portal, navigate to Service Portal > Portals, and click Vendor Portal. See Now Platform Service Portal for more information.

      Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal.

      Role Purpose
      Vendors Use the Vendor Assessment Portal to:
      • View and respond to current assessments.
      • Delegate responses to other contacts.
      • View or update contact information.
      • Update notification preferences.
      • Change a password or request a new password.
      Vendor risk assessors Use the Vendor Risk Management application to:
      • Create a login for a new contact.
      • Enable or disable a contact login.
      • Reset a password for a contact.
      • Assign a user role to a contact.
      • Assign a contact to an assessment.
      • View and update customer contact information.
      • Access completed assessments.

      Create a vendor risk assessment and initiate the life cycle

      The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor risk assessments can be created on-demand or from a repeating assessment. When creating an on-demand vendor risk assessment, select the questionnaire template or document request template, and the vendor. Also, vendor risk managers can select multiple vendors at a time and automatically trigger vendor risk assessments.

      Before you begin

      Role required: vendor risk manager or vendor risk assessor

      Procedure

      1. Navigate to Vendor Risk > Assessments > All Assessments.
      2. Click New.
        Vendor Risk Assessment
      3. On the form, fill in the fields.
        Table 1. Vendor Risk Assessment form
        Field Description
        Name The name of the vendor risk assessment.
        Description A more detailed explanation of the issue.
        Number Read-only field automatically populated with a unique identification number.
        Applies to Select Vendor or Engagement.
        Engagement Select the engagement being assessed. This field is visible only if you selected Engagement from the Applies to field.
        Repeating assessment The assessment used to create the current assessment.
        Assessment template If you want to use one assessment template to create questionnaires or document requests for this assessment, select the one you want to use.

        If you want to use multiple templates to create multiple questionnaires or document requests for this assessment, leave this field blank.

        Owner The owner of this assessment.
        State
        • Draft
        • Submitted to vendor
        • Closed
        • Canceled
        Risk rating The overall risk rating for this vendor.
        • Critical
        • High
        • Moderate
        • Low
        • Minor
        Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
        Risk rating valid to The date the risk rating expires. This date must be later than the Risk rating valid to date on any associated questionnaires or document requests.
        Trigger by vendor tier Initiate this assessment when the vendor tier changes.
        Watch list Add users to be notified when this record is modified.
        Risk Scoring
        Computed risk rating Shows an average of the vendor risk area risk ratings.
        Override risk rating Allows you to override the computed risk rating for the vendor. When checked, any future changes made to the assessment risk rating will affect only the computed risk rating, not the risk rating. If the check box is selected and then you deselect it, the computed risk rating is copied back to the assessment.
        Overridden risk rating If you selected Override risk rating, enter the new risk rating.
        Justification If you selected Override risk rating, you must enter a reason for the override.
        Assessment Schedule
        Planned duration (days) Estimated duration period of the assessment
        Planned start date Planned start date and time for work on the vendor risk assessment.
        Planned end date Planned completion date and time fort work on the vendor risk assessment.
        Created by Shows the user who created this record.
        Created Shows the date/time the record was created.
        Actual duration The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date.
        Actual start date Date and time that work on the vendor risk assessment began.
        Actual end date Completion date and time for the vendor risk assessment.
        Updated Shows the date/time when the record was last updated.
        Questionnaire Schedule
        Planned duration (days) The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date.
        Review duration (days) The review duration given to customer to review all the questionnaires.
        Due date Deadline for vendor to answer all the questionnaires.
        Completion date The actual date when vendor completed all the questionnaires.
        Submitted to vendor The delivery date for vendor questionnaires.
        Resubmitted to vendor The date questionnaires are resent to the vendor.
        Responses expected by The date the vendor is expecting the responses.
        Notes and Comments
        Work notes Information about the vendor risk assessment. Work notes are visible to users assigned to the issue.
        Additional comments (Customer visible) Public information about the vendor risk assessment.
      4. Save the record. Additional related lists appear.
        Assessment related lists
      5. If you left the Assessment template field blank and want to use assessment templates to associate multiple questionnaires and/or document requests with this assessment, scroll down to the Questionnaires or Document Requests tabs.
      6. To associate existing questionnaires and/or document requests with the assessment, perform the following steps.
        1. Click the Questionnaires or Document Requests tab, depending on the type of questions you want to associate with the assessment.
        2. Click Edit.
        3. Select the questionnaires or document requests you want to use, then click Save.
        4. Repeat for the other type of questions, if needed. That is, if you associated questionnaire templates to the assessment and also want to associate document request templates, click that tab and repeat these steps.
      7. To create new questionnaire and/or document request templates and associate them with this assessment, see Manually define a questionnaire template or document request template.
      8. Click Submit to Vendor.
        The state of the assessment changes to Submitted to Vendor, the templates you selected automatically generate questionnaires and/or document requests, and the primary vendor contact receives an email notification, along with a link to the assessment in the Vendor Portal.
      9. When the vendor contact is ready to respond to the assessment, he or she clicks the email link to open the assessment in the Vendor Portal. Working with an assessment in the vendor portal
        Note: As you can see, one of the questionnaires shown above requires a signature. The vendor or reviewer must save and e-sign the questionnaire or document request before it can be returned to the vendor risk assessor. For more information, see Approve questionnaire assessments or document requests with e-signatures.
      10. The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary.
        For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor).
      11. The vendor assessor moves the assessment to Closed state.
        The vendor risk assessor works with the vendor through the vendor portal to close the assessment.
        Vendor risk assessment life cycle

      Approve questionnaire assessments or document requests with e-signatures

      When questionnaires or document requests are configured to require electronic signatures, vendors and/or reviewers must provide e-signatures during the approval process.

      Before you begin

      Role required: vendor risk manager or vendor risk assessor

      Procedure

      1. After a questionnaire or document request has been submitted to the vendor, the vendor risk manager or vendor risk assessor receives an email notification that includes a link to the record. Click the link to open the questionnaire or document request.
        Save and Sign
        Note: Notice that a signature is required for the Sample questionnaire. Open the questionnaire that requires a signature.
      2. Scroll down and complete the questionnaire or document request.
      3. When you have answered the questions, click Save and Sign. The Sign to Complete dialog box opens.
        Sign to complete
      4. Either type your name in the Type tab (as shown), or click the Draw tab and provide a free-form signature with your mouse.
      5. After you have provided your signature using either method, click Sign to Complete.
        Electronic signature
      6. If you want to make any modifications to the answers in the questionnaire or document request, click Make Changes. The signature is removed and you must sign again.
      7. When you have completed and signed the assessment, click Exit, and complete any additional questionnaires or document requests in the assessment.
        Note: If any of the questionnaires or document requests in the assessment require e-signatures and have not been signed, you cannot submit the assessment.
      8. When you have completed all questionnaires or document requests in the assessment, click Submit Assessment. The state of the assessment changes to Response Received, and all the risk scores are calculated automatically.
      Related tasks
      • Manually define a questionnaire template or document request template

      Review assessment responses and resubmit questions to the vendor

      Vendors use the vendor portal to complete assessments and collaborate with the vendor risk manager through the comments section.

      Before you begin

      Role required: sn_vdr_risk_asmt.vendor_assessor

      About this task

      When assessments reveal gaps, issues can be generated automatically or manually. If the vendor risk manager or assessor decides that an assessment response is unsatisfactory, they can return the assessment to the vendor by resubmitting a particular questionnaire or document request. Incorrect answers to questions can automatically generate issues or issues can be generated manually from the question. Vendor contacts can identify resubmitted questionnaires and document requests within an assessment by reviewing the external comments on the vendor portal.

      Procedure

      1. Navigate to Vendor Risk > Assessments > My Open Assessments.
      2. Open an assessment in the Responses Received state.
      3. In the Questionnaires or Document Requests tabs, click View Responses.
        view response link highlighted
      4. Add comments to the questions and make the following selections, as necessary:
        • Select Show Follow-ups.
        • Select Show incorrect and un-scored responses.
        • Select Hide comments.
        • Select Include this question when creating an issue.
        • Enter information in the Internal comment .
        • Select Comment for vendor and add information.
      5. After adding comments, perform one of the following:
        OptionDescription
        To generate issues associated with each question Click Create Issue.
        Note:

        A message with the issue number displays: The issue VRI0003001 has been created successfully.

        To resubmit the assessment to the vendor Click Return to Vendor
        Note:
        If the assessment schedule might be impacted, you can extend the days by adjusting the number in the following message window:
        return questionnaire message asking for an extension of days to complete

      Open an assessment in the vendor assessment portal

      Starting in Version 10.1, the Vendor Assessment Portal restricts assessment information available depending on the type of contact accessing the portal. New capabilities are available to primary and secondary contacts.

      Before you begin

      Role required: vendor contact

      Procedure

      1. Log in to the vendor assessment portal through https://myCompany.service-now.com/svdp. The Assessment Summary dashboard opens.
        Vendor Assessement Summary
      2. Vendor and engagement contacts (both primary and secondary) can view assessment information in the following ways.
        • Since engagements are services or products associated with (or offered by) the vendor, engagement contacts cannot view the assessments in the Vendor section. They can view only assessments in the Engagements section.
        • Primary vendor contacts and primary engagement contacts can assign new primary contacts from the dashboard. For example, the primary engagement contact can assign another user as a primary engagement contact. If needed, both primary engagement contacts can then be assigned to complete the engagement assessment.
          Assigning a new primary contact
        • Primary vendor and engagement contacts can manage their teams, adding and removing contacts, and assigning primary and secondary contact designations.
          Manage the team
          Team management
        • The following diagram summarizes the capabilities of each of the contact roles.
          Capabilities of primary and secondary vendor and engagement contacts
        Note: If a Secondary Vendor Contact is also assigned the Secondary Engagement Contact role, that individual can take engagement assessments, but cannot take vendor assessments. In that situation, the Secondary Engagement Contact role takes precedence.

      Review assessment responses in the vendor assessment portal

      After submitting an assessment, the vendor contact can view all responses in read-only mode on the vendor assessment portal.

      Before you begin

      Role required: vendor contact

      Procedure

      1. Log into the vendor assessment portal through https://myCompany.service-now.com/svdp.
      2. Click through each questionnaire and view the responses.
        Note: All responses are read-only since the assessment has already been sent back to the customer.

      Create repeating vendor risk assessments

      Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously.

      Before you begin

      Role required: vendor risk assessor

      Procedure

      1. Navigate to Vendor Risk > Assessments > Repeating Assessments.
      2. Click New.
      3. On the form, fill in the fields.
        Table 2. Repeating Assessment form
        Field Description
        Number Read-only field automatically populated with a unique identification number.
        Description A more detailed description of the repeating assessment.
        Name The name of the repeating assessment.
        Assessment template The template used to create the current assessment.
        Applies to Select Vendor or Engagement.
        Vendor The vendor that is being assessed.
        Engagement Select the engagement being assessed. This field is visible only if you selected Engagement in the Applies to field.
        Active Indicates if the current repeating assessment is active.
        Next assessment creation (months) Next assessment will be created in specific number of months after the previous assessment is closed
        Next assessment end date (months) The end date for the new assessment after the previous assessment is closed
        Assessment results valid duration (days) The number of days that the assessment results are valid.
      4. Click Submit.
      5. The Assessment Occurrences related list displays the status of all assessments and its associated risk rating.
        Repeating Assessment form

      Manage third-party security scores

      Third-party security scores help you normalize the security risk posed by doing business with particular vendors. The companies that provide the vendor metrics are referred to as providers. Providers can have its different score ranges and varying weights of consideration. Also, you can use your company's own internally generated security metrics.

      Vendor Third-Party Security Score workflow

      Security scores reflect an company's security posture. Third-party security score providers use different scales (between 0 to 1000) with a higher score indicating better cybersecurity performance. A lower score correlates to a higher risk of a data breach. The score is calculated using various factors, like application security, network security, patching cadence, vulnerability, hacker chatter, and exposed passwords.

      1. The security score provider table contains the security provider's information.
      2. The vendor risk manager monitors the scores generated by the provider for the vendors they are interested in.
      3. The vendor risk manager uses these scores when determining a vendor's tier.
      4. The vendor risk manager can initiate the vendor risk assessment or it is automatically sent using a configured business rule.

      Set up third-party vendor security scores

      You can add multiple providers and change the scoring scales for those providers. When changes are made to the provider score, those changes are also calculated into the security score.

      Before you begin

      Role required: sn_vdr_risk_asmt.vendor_assessor

      Procedure

      1. Navigate to Security Score Setup > Providers.
      2. Select a provider record or click New.
      3. On the form, fill in the fields.
        Table 3. Security Score Providers form
        Field Description
        Provider Name of the third-party score provider.
        Order The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied.
        Note: When there are multiple scores for the provider, the order is applied accordingly.
        Range from The lowest end of the scoring range of the provider.
        Range to The highest end of the scoring range of the provider.
      4. Click Submit.
        Figure 1. Security Score Providers
        Security Score Providers example
      5. Navigate to Security Score Setup > Scores
      6. Select a security record or click New.
      7. On the form, fill in the fields.
        Table 4. Security Scores form
        Field Description
        Provider Name of the third-party score provider.
        Vendor The vendor being scored.
        Provider score The score provided by the third-party provider.
        Security score The normalized security score for this vendor based on the order and weightings of the third-party providers.
        URL Link to additional information about the origin of this score, from the security score provider.
        Score generated on The date and time that the score was updated.
      8. Click Submit.
        Figure 2. Security Scores
        Vendor Risk view of Security Scores

      Update a vendor's security score

      When changes are made to a vendor's security score (from an established third -arty score update or the inclusion of another third-party provider score to the calculation), email notifications are sent to interested stakeholders.

      Before you begin

      Role required: sn_vdr_risk_asmt.vendor_assessor

      Procedure

      1. Navigate to Security Score Setup > Providers.
      2. Select a provider record or click New.
      3. On the form, fill in the fields.
        Table 5. Security Score Providers form
        Field Description
        Provider Name of the third-party score provider.
        Order The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied.
        Note: When there are multiple scores for the provider being applied, the order is applied accordingly.
        Range from The lowest end of the scoring range of the provider.
        Range to The highest end of the scoring range of the provider.
      4. Click Submit.

      Create an automatic scored-based risk assessment

      You can create rules to automate the vendor risk assessment functionality based on a change to the vendor's security score.

      Before you begin

      Role required: sn_vdr_risk_asmt.vendor_assessor

      Procedure

      1. Navigate to Assessment Submission Rules > Score Based Submission.
      2. Select a rule record or click New.
      3. On the form, fill in the fields.
        Table 6. Score Based Assessment Submission Rules form
        Field Description
        Name Name of the score based assessment submission rules.
        Basis
        The basis for the change. Choices are:
        • Percentage
        • Score
        Extent of change
        The extent of the change. Choices are:
        • Increases by
        • Decreases by
        Security score Automatically submit the risk assessement to the vendor after it has been generated.
        Score provider and vendor settings
        Score Provider The score provider for this rule.
        Apply to vendor The vendor to apply the rule to.
        Apply to vendor tier
        Select the tier scale which will automatically generate the risk assessment. Choices are:
        • None
        • Critical
        • High
        • Moderate
        • Low
        • Minor
        Assessment template and auto submit
        Assessment template The template that will be sent when the security score changes as specified in the rule.
        Auto submit to vendor Automatically submit the risk assessment to the vendor after it has been generated.
      4. Click Submit.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login