Frequently asked questions

What are the different Assessment Phases?

Not Assessed: This phase indicates that the relationship has been created on the platform, however an Assessment has not been initiated
Started: The Assessment request has been initiated
Collecting Information: The Assessment has been opened by the Vendor and they are in the process of supplying documentation that shows evidence of control coverage
Review Started: The Vendor has responded to the Assessment and is within VISO Trust to review and validate the responses provided by the Vendor
Completed: The Assessment request has been reviewed by VISO Trust with a Risk Score and Risk Summary generated

What are the different Relationship statuses?

Not Onboarded: A Relationship is initially set to Not Onboarded when it is created natively through the Web Application. It will persist in this status until the designated Business Owner determines that your organization will continue to move forward with this vendor.
Onboarded: Once the Business Owner decides that they want to work with the Vendor, the Business Owner (if they are an authorized User within the application, otherwise the designated Org Admin) must use the action on the Relationship Detail page or to Onboard the Vendor. Once Onboarded, this Relationship will now be able to leverage Lifecycle Management that will allow you to set the period in which this Relationship must be recertified. Along with the ability to leverage Lifecycle Management, the Risk associated with this Relationship will now be considered in your Risk Insights Dashboard, showing an aggregate of the Risk associated with all Onboarded Vendors.
Deleted: If it is determined that you are no longer working with this Vendor, you can update the Relationship Status to Deleted within the Relationship Details page.
- The Relationship must first be moved to Not Onboarded before Deleting
- Any Assessments in Progress will be Cancelled

How do I add new vendors?

There are two ways to add new vendors, creating new relationship, in the VISO platform:

New Relationship
Import Relationships

What is the difference between Potential Risk and Residual Risk?

Potential Risk - Refers to the risk level that exists without the presence of controls or mitigations in place.
Residual Risk - Refers to the remaining risk level after an assessment has been completed for the controls put in place using the information/documents provided by Third Party vendor.

How is Potential and Residual Risk Calculated?

Potential and Residual risks can range from No Access, Low, Medium, High, and Extreme risk based on the Risk Model.
The Risk Model considers the following data points:
- Based on each unique business relationship, attack surface is used to determine potential likelihood
- Based on the data privacy regulations and cost of breach statistics, the sensitivity of data in scope for the relationship is used to determine potential impact
- Based on NIST, ISO, AICPA and FFIEC standards and data breach statistics, likelihood-mitigating controls are analyzed in third party artifacts to determine their presence and relative assurance value.
- Mitigating controls are applied to determine Residual Risk (0-100%)

How do I add a Vendor in the VISO Trust Platform?

Click on the 'New Relationship' button at the top header
Enter the following Vendor attributes in the New Relationship form and hit submit:
- Vendor Details
- Contact Information
- Business Case
- Data Types
You will see the relationship created in the Relationship List page in Not Onboarded status

I want to modify some of the details of the Relationship, how do I do that?

Within the Relationship List page, select the Relationship in which you would like to modify which will bring you to the Relationship Detail page
In the Relationship Detail page, each of the Relationship attributes have an Edit link which when clicked, will open a modal window to set the desired values

Once I have created the Relationship, what's the next step?

Once a Relationship is created, you want to initiate an Assessment to validate the control coverage and determine this Relationship's Residual Risk. To initiate an Assessment, proceed with the following steps:

Within the Relationship List page, select the Vendor in which you would like to initiate an Assessment for which will bring you to the Relationship Detail page
From the Relationship Detail page, click on the "Start Assessment" button in the top right corner
Enter in the Contact information for the Vendor and click "Send Assessment Request"

The Vendor we are working with has publicly available Security documents which can be used or I have already uploaded their documentation, do I still need to put in the Third Party Contact information to start an Assessment?

If the Vendor has either a Trust Portal containing their Security documentation or you have already uploaded them, you can initiate a Documents Only Assessment.
This will allow VISO Trust to perform an Assessment to determine Residual Risk without the need to engage the Vendor directly
To start a Documents Only Assessment, follow the same steps as above to start an Assessment, however this time you will click the toggle button next to "Assess using documents we've uploaded only"
- Within this modal, there is an input form for you to supply either the public link for VISO Trust to pull the documentation or we will use the documents that have been previously uploaded within the Artifacts tab.

I was notified that the Assessment for the Vendor is completed, what do I do next?

Once the Assessment is completed, you will notice that the application provides following information for you to take the next step.
- Residual Risk Score - You can view this on the Relationship Detail page as well as Relationship List page
- Assessment Summary - This is the summary of the controls that were validated with any exceptions noted as well as the context in which you are doing business with this Vendor
Based on the results, it is up to the Business Owner or designated Organization Admin to determine whether or not you would like to proceed with working with this Vendor. If it is determined you are going to move forward with this Vendor, the next step would be to Onboard the Relationship and set up your Recertification Period.

Frequently asked questions

What are the different Assessment Phases?

What are the different Relationship statuses?

How do I add new vendors?

What is the difference between Potential Risk and Residual Risk?

How is Potential and Residual Risk Calculated?

How do I add a Vendor in the VISO Trust Platform?

I want to modify some of the details of the Relationship, how do I do that?

Once I have created the Relationship, what's the next step?

The Vendor we are working with has publicly available Security documents which can be used or I have already uploaded their documentation, do I still need to put in the Third Party Contact information to start an Assessment?

I was notified that the Assessment for the Vendor is completed, what do I do next?

How did we do?

Risk Advisories

Related Articles

Supplemental Questionnaires

Follow-up questionnaires

Related Articles

Custom Organization Email Domain

Artifact Intelligence Trust Center

VISO TRUST Roles & Permissions

Netksope Application Risk Exchange Plugin

How to Create an API Access Token

How To Configure The VISO TRUST Netskope Application Risk Exchange (ARE) Plugin

How To Configure Coupa Supplier Sync

Customize branding for your organization

Understanding Subscribers and Default Subscribers

Configuring relationship context

VISO TRUST Risk Assessment Process

Lifecycle Management for Relationships

How To Import New or Existing Relationships