Frequently asked questions

What are the different Assessment Phases?

Not Assessed: This phase indicates that the relationship has been created on the platform, however an Assessment has not been initiated
Started: The Assessment request has been initiated
Collecting Information: The Assessment has been opened by the Vendor and they are in the process of supplying documentation that shows evidence of control coverage
Review Started: The Vendor has responded to the Assessment and is within VISO Trust to review and validate the responses provided by the Vendor
Completed: The Assessment request has been reviewed by VISO Trust with a Risk Score and Risk Summary generated

What are the different Relationship statuses?

Not Onboarded: A Relationship is initially set to Not Onboarded when it is created natively through the Web Application. It will persist in this status until the designated Business Owner determines that your organization will continue to move forward with this vendor.
Onboarded: Once the Business Owner decides that they want to work with the Vendor, the Business Owner (if they are an authorized User within the application, otherwise the designated Org Admin) must use the action on the Relationship Detail page or to Onboard the Vendor. Once Onboarded, this Relationship will now be able to leverage Lifecycle Management that will allow you to set the period in which this Relationship must be recertified. Along with the ability to leverage Lifecycle Management, the Risk associated with this Relationship will now be considered in your Risk Insights Dashboard, showing an aggregate of the Risk associated with all Onboarded Vendors.
Deleted: If it is determined that you are no longer working with this Vendor, you can update the Relationship Status to Deleted within the Relationship Details page.
- The Relationship must first be moved to Not Onboarded before Deleting
- Any Assessments in Progress will be Cancelled

How do I add new vendors?

There are two ways to add new vendors, creating new relationship, in the VISO platform:

New Relationship
Import Relationships

What is the difference between Potential Risk and Residual Risk?

Potential Risk - Refers to the risk level that exists without the presence of controls or mitigations in place.
Residual Risk - Refers to the remaining risk level after an assessment has been completed for the controls put in place using the information/documents provided by Third Party vendor.

How is Potential and Residual Risk Calculated?

Potential and Residual risks can range from No Access, Low, Medium, High, and Extreme risk based on the Risk Model.
The Risk Model considers the following data points:
- Based on each unique business relationship, attack surface is used to determine potential likelihood
- Based on the data privacy regulations and cost of breach statistics, the sensitivity of data in scope for the relationship is used to determine potential impact
- Based on NIST, ISO, AICPA and FFIEC standards and data breach statistics, likelihood-mitigating controls are analyzed in third party artifacts to determine their presence and relative assurance value.
- Mitigating controls are applied to determine Residual Risk (0-100%)

How do I add a Vendor in the VISO Trust Platform?

Click on the 'New Relationship' button at the top header
Enter the following Vendor attributes in the New Relationship form and hit submit:
- Vendor Details
- Contact Information
- Business Case
- Data Types
You will see the relationship created in the Relationship List page in Not Onboarded status

I want to modify some of the details of the Relationship, how do I do that?

Within the Relationship List page, select the Relationship in which you would like to modify which will bring you to the Relationship Detail page
In the Relationship Detail page, each of the Relationship attributes have an Edit link which when clicked, will open a modal window to set the desired values

Once I have created the Relationship, what's the next step?

Once a Relationship is created, you want to initiate an Assessment to validate the control coverage and determine this Relationship's Residual Risk. To initiate an Assessment, proceed with the following steps:

Within the Relationship List page, select the Vendor in which you would like to initiate an Assessment for which will bring you to the Relationship Detail page
From the Relationship Detail page, click on the "Start Assessment" button in the top right corner
Enter in the Contact information for the Vendor and click "Send Assessment Request"

The Vendor we are working with has publicly available Security documents which can be used or I have already uploaded their documentation, do I still need to put in the Third Party Contact information to start an Assessment?

If the Vendor has either a Trust Portal containing their Security documentation or you have already uploaded them, you can initiate a Documents Only Assessment.
This will allow VISO Trust to perform an Assessment to determine Residual Risk without the need to engage the Vendor directly
To start a Documents Only Assessment, follow the same steps as above to start an Assessment, however this time you will click the toggle button next to "Assess using documents we've uploaded only"
- Within this modal, there is an input form for you to supply either the public link for VISO Trust to pull the documentation or we will use the documents that have been previously uploaded within the Artifacts tab.

I was notified that the Assessment for the Vendor is completed, what do I do next?

Once the Assessment is completed, you will notice that the application provides following information for you to take the next step.
- Residual Risk Score - You can view this on the Relationship Detail page as well as Relationship List page
- Assessment Summary - This is the summary of the controls that were validated with any exceptions noted as well as the context in which you are doing business with this Vendor
Based on the results, it is up to the Business Owner or designated Organization Admin to determine whether or not you would like to proceed with working with this Vendor. If it is determined you are going to move forward with this Vendor, the next step would be to Onboard the Relationship and set up your Recertification Period.

Frequently asked questions

What are the different Assessment Phases?

What are the different Relationship statuses?

How do I add new vendors?

What is the difference between Potential Risk and Residual Risk?

How is Potential and Residual Risk Calculated?

How do I add a Vendor in the VISO Trust Platform?

I want to modify some of the details of the Relationship, how do I do that?

Once I have created the Relationship, what's the next step?

The Vendor we are working with has publicly available Security documents which can be used or I have already uploaded their documentation, do I still need to put in the Third Party Contact information to start an Assessment?

I was notified that the Assessment for the Vendor is completed, what do I do next?

How did we do?

Creating a Relationship and Starting an Assessment

Related Articles

GoDaddy Incident

CircleCI Incident

Okta's Support System Security Incident

Related Articles

VISO TRUST Roles & Permissions

How To Configure Coupa Supplier Sync

How To Import New or Existing Relationships

How To Configure The VISO TRUST Netskope Application Risk Exchange (ARE) Plugin

How to Create an API Access Token

Creating a Relationship and Starting an Assessment

Netksope Application Risk Exchange Plugin

Artifact Intelligence Trust Center

Risk Insights Dashboard Update

DROPBOX, INC. Cybersecurity Incident

Persistent Malicious Campaign: Exploiting Exchange Server Vulnerability Leading to Data Breach in Azure Cloud Environments

Infosys McCamish Data Breach Hits Bank of America

ConnectWise ScreenConnect Authentication Bypass Vulnerability

Okta's Support System Security Incident

VF Corporation Data Breach Incident

HealthEC LLC (HEC) Cyber Security Event

Orrick Herrington & Sutcliffe LLP Breach Incident

Citrix Hypervisor Security Incident

Citrix NetScaler ADC and NetScaler Gateway vulnerabilities

Sumo Logic Potential Security Incident

Arietis Health Security Incident

Cisco IOS XE Software Web Management User Interface vulnerabilities

CVE-2023-22515 - Broken Access Control Vulnerability in Atlassian Confluence Data Center and Server

JumpCloud's Ongoing Incident: API Key Reset

Progress Software MOVEit Zero-Day Vulnerability

GoAnywhere MFT (Fortra) Incident