Frequently asked questions

What are the different Assessment Phases?

  • Not Assessed: This phase indicates that the relationship has been created on the platform, however an Assessment has not been initiated
  • Started: The Assessment request has been initiated
  • Collecting Information: The Assessment has been opened by the Vendor and they are in the process of supplying documentation that shows evidence of control coverage
  • Review Started: The Vendor has responded to the Assessment and is within VISO Trust to review and validate the responses provided by the Vendor
  • Completed: The Assessment request has been reviewed by VISO Trust with a Risk Score and Risk Summary generated

What are the different Relationship statuses?

  • Not Onboarded: A Relationship is initially set to Not Onboarded when it is created natively through the Web Application. It will persist in this status until the designated Business Owner determines that your organization will continue to move forward with this vendor.
  • Onboarded: Once the Business Owner decides that they want to work with the Vendor, the Business Owner (if they are an authorized User within the application, otherwise the designated Org Admin) must use the action on the Relationship Detail page or to Onboard the Vendor. Once Onboarded, this Relationship will now be able to leverage Lifecycle Management that will allow you to set the period in which this Relationship must be recertified. Along with the ability to leverage Lifecycle Management, the Risk associated with this Relationship will now be considered in your Risk Insights Dashboard, showing an aggregate of the Risk associated with all Onboarded Vendors.
  • Deleted: If it is determined that you are no longer working with this Vendor, you can update the Relationship Status to Deleted within the Relationship Details page.
    • The Relationship must first be moved to Not Onboarded before Deleting
    • Any Assessments in Progress will be Cancelled

How do I add new vendors?

There are two ways to add new vendors, creating new relationship, in the VISO platform:

  1. New Relationship
  2. Import Relationships

What is the difference between Potential Risk and Residual Risk?

  • Potential Risk - Refers to the risk level that exists without the presence of controls or mitigations in place.
  • Residual Risk - Refers to the remaining risk level after an assessment has been completed for the controls put in place using the information/documents provided by Third Party vendor.

How is Potential and Residual Risk Calculated?

  • Potential and Residual risks can range from No Access, Low, Medium, High, and Extreme risk based on the Risk Model.
  • The Risk Model considers the following data points:
    • Based on each unique business relationship, attack surface is used to determine potential likelihood
    • Based on the data privacy regulations and cost of breach statistics, the sensitivity of data in scope for the relationship is used to determine potential impact
    • Based on NIST, ISO, AICPA and FFIEC standards and data breach statistics, likelihood-mitigating controls are analyzed in third party artifacts to determine their presence and relative assurance value.
    • Mitigating controls are applied to determine Residual Risk (0-100%)

How do I add a Vendor in the VISO Trust Platform?

  • Click on the 'New Relationship' button at the top header
  • Enter the following Vendor attributes in the New Relationship form and hit submit:
    • Vendor Details
    • Contact Information
    • Business Case
    • Data Types
  • You will see the relationship created in the Relationship List page in Not Onboarded status

I want to modify some of the details of the Relationship, how do I do that?

  • Within the Relationship List page, select the Relationship in which you would like to modify which will bring you to the Relationship Detail page
  • In the Relationship Detail page, each of the Relationship attributes have an Edit link which when clicked, will open a modal window to set the desired values

Once I have created the Relationship, what's the next step?

Once a Relationship is created, you want to initiate an Assessment to validate the control coverage and determine this Relationship's Residual Risk. To initiate an Assessment, proceed with the following steps:

  • Within the Relationship List page, select the Vendor in which you would like to initiate an Assessment for which will bring you to the Relationship Detail page
  • From the Relationship Detail page, click on the "Start Assessment" button in the top right corner
  • Enter in the Contact information for the Vendor and click "Send Assessment Request"

The Vendor we are working with has publicly available Security documents which can be used or I have already uploaded their documentation, do I still need to put in the Third Party Contact information to start an Assessment?

  • If the Vendor has either a Trust Portal containing their Security documentation or you have already uploaded them, you can initiate a Documents Only Assessment.
  • This will allow VISO Trust to perform an Assessment to determine Residual Risk without the need to engage the Vendor directly
  • To start a Documents Only Assessment, follow the same steps as above to start an Assessment, however this time you will click the toggle button next to "Assess using documents we've uploaded only"
    • Within this modal, there is an input form for you to supply either the public link for VISO Trust to pull the documentation or we will use the documents that have been previously uploaded within the Artifacts tab.

I was notified that the Assessment for the Vendor is completed, what do I do next?

  • Once the Assessment is completed, you will notice that the application provides following information for you to take the next step.
    • Residual Risk Score - You can view this on the Relationship Detail page as well as Relationship List page
    • Assessment Summary - This is the summary of the controls that were validated with any exceptions noted as well as the context in which you are doing business with this Vendor
  • Based on the results, it is up to the Business Owner or designated Organization Admin to determine whether or not you would like to proceed with working with this Vendor. If it is determined you are going to move forward with this Vendor, the next step would be to Onboard the Relationship and set up your Recertification Period.

How did we do?

Contact