Table of Contents
How To Import New or Existing Relationships
Why use the 'Import Relationship' feature?
- The 'Import Relationship' feature helps users create a large number of relationships quickly without having to individually create them via the 'New Relationship Wizard'.
- Not only can you create a large number of new relationships quickly, we also support the importing of existing relationships and their risk assessments.
Choosing your import template
From the 'Import Relationships' page, you are given two options when downloading an import spreadsheet.
- Existing Relationship template - Used to import any existing relationships and their risk assessments
- New Relationship template - Used to create new relationships (Excludes existing risk assessment-related information)
For assistance in filling out these spreadsheets, we have provided example relationships in both of these templates for you to use as a guide as you provide your own information.
Important: Please make sure to remove the example relationships pre-provided in the template before attempting to import your relationships.
Useful terms/definitions
- Vendor (a.k.a Third Party): The company whose product or service you are using or planning to use.
- Third Party Contact: The account manager or representative at the third party.
- Business Owner: The main point of contact for the third party. Is typically the buyer or requester.
- Relationship: Companies use third parties to supply products or services that they need to function. If a business establishes an ongoing exchange with a third party, they begin a business relationship that allows for the buyer and supplier's success.
- Legacy Relationship: The relationships and their risk assessments were created outside of the VISO Platform. Represents an existing relationship.
- Data Type: Data types represent the digital assets that may be shared with a third party, which have the potential to increase the risk of a relationship.
Spreadsheet file format
The first line of the spreadsheet contains the column headers. Do not modify or rearrange these.
Field Name | Field Description | Field Data Requirements |
Client Username | The email of the user who will be marked as the creator of the relationship. | Required |
Vendor Name | Name of the vendor for the relationship. | Required |
Vendor Description | Description of the service/product the vendor is providing. | Nice to have |
Vendor Website | Website URL for the vendor. | Required |
Vendor Industry | Industry of the vendor - Technology, Finance, etc | Nice to have |
Business Owner Email Address | Email address of the business owner for communication and assessment notifications | Required |
Business Owner First Name | First name of the business owner | Required |
Business Owner Last Name | Last name of the business owner | Required |
Business Owner Business Unit | Business unit that the business owner belongs to. Example values - Product, Engineering, IT, InfoSec, etc Important:
| Required |
Primary Third Party Contact Email Address | Email address of the primary third party contact for communication/notifications Important: If you enter email address of the third party contact then the First Name, Last Name fields are required | Nice to have NOTE: Required if existing relationship import spreadsheet is used and Recertification Type is AUTOMATIC |
Primary Third Party Contact First Name | First Name of the primary third party contact | Nice to have NOTE: Required if existing relationship import spreadsheet is used and Recertification Type is AUTOMATIC |
Primary Third Party Contact Last Name | Last Name of the primary third party contact | Nice to have NOTE: Required if existing relationship import spreadsheet is used and Recertification Type is AUTOMATIC |
Primary Third Party Contact Contact Phone | Phone number of the primary third party contact | Nice to have |
Data Transfer | Data will pass through, or be stored or processed on equipment or systems owned or controlled by the third party. | Enter "Yes" if applicable, otherwise "No" or leave blank |
Network Connection | Company's network will be connected to third party network. Examples of connected networks include site-to-site virtual private networks (VPNs), dedicated point-to-point circuits, AWS Direct Connect or other dedicated circuits. | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Storage | Company's data or equipment containing company's data be stored at the third party's facility. Examples of data storage include a data center colocation where the third party does not have logical access or a storage facility housing data backup tapes. | Enter "Yes" if applicable, otherwise "No" or leave blank |
Physical Access | Third party personnel will access company's facilities that contain computer systems or information technology resources. Examples of on-site services include physical access to facilities which contain information technology resources, such as work areas containing computers or telco/server closets. | Enter "Yes" if applicable, otherwise "No" or leave blank |
Personnel Data Access | Third party personnel require access to your company's computers, network or information resources. | Enter "Yes" if applicable, otherwise "No" or leave blank |
Software/Hardware Supplier | Third party independently develops or supply computer software or hardware for use by your company or your customers. Examples include software products or digital infrastructure components, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Authentication credentials or internal encryption keys | Credentials used to secure an account or keys used to protect the most sensitive data in your organization. e.g. Username and password combinations, API keys, TSI keys | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - PII and additional attributable information | PII and any non-PII attributable information that together can put the customer at risk for social engineering. e.g. Customer contact information and their spending history | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Sensitive PII | PII which if lost, compromised, or disclosed without authorization, could result in substantial harm or inconvenience to an individual. e.g. Customer names, addresses or telephone number in combination with their social security number or credit card numbers | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - PII (Personal Identifiable Information) | Any information that permits the identity of an individual to be reasonably inferred by either direct or indirect means. e.g. Customer names, addresses or telephone numbers NOT in combination with social security numbers or credit card numbers | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Employee sensitive PII (Personal Identifiable Information) | Employee PII sensitive in nature, typically requiring breach notification in the event of unauthorized disclosure or loss. e.g. Employee names + social security numbers, employee names + bank numbers | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Insider Information | A non-public fact regarding the plans or condition of a publicly traded company that could provide a financial advantage when used to buy or sell shares of that or another company's securities e.g. Acquisition plans of a publicly traded company | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Vulnerabilities | Undisclosed information regarding weaknesses which can be exploited by a threat actor. e.g. Vulnerability scan reports, penetration testing reports | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Proprietary and confidential information | Information your organization wishes to keep confidential. e.g. Trade secrets, business plans, customer lists and contracts | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Source code | Any collection of code, possibly with comments, or any fully executable description of a software system owned by your organization. e.g. Source code of a product you produce | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Unrestricted information | Information in which the unauthorized disclosure, alteration or destruction of would result in little or no impact. e.g. Published research, press releases | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Less sensitive confidential information | Information owned by your organization and not made publicly available in bulk but routinely shared with partners or customers. e.g. Employee work names and contact lists | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Customer or partner proprietary information | Information a company wishes to keep confidential that has been entrusted to you by a third party. e.g. Customer trade secrets, business plans, customer lists and contracts | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Financial reporting | Information or financial statements that are used to track, analyze and report on business income and the financial assets. e.g. Data from a company accounting system or monetary asset management system | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - PCI (Payment Card Industry) data | Card Holder Data (CHD) or information including unique Primary Account Numbers (PANs) that identify the issuer and the particular cardholder account. e.g. Customer credit or debit card information | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - Monetary Assets | Cash and cash equivalents including digital or virtual. e.g. Cash, access directly to bank accounts or cryptocurrency wallets | Enter "Yes" if applicable, otherwise "No" or leave blank |
Data Type - PHI (Protected Health Information) | Any information about an individual's health status, medical conditions, or healthcare services that can be linked to a specific individual. | Enter "Yes" if applicable, otherwise "No" or leave blank |
Tag(s) - (separated by commas) | The custom Tag(s) you would like associated with this relationship. If the Tag does not exist, one will be created and added to your list of organization tags. Tags can only contain letters or numbers. e.g. High Priority,Tier 3,Sub-Servicer,Cloud Provider | Nice to have |
Legacy Relationship - Assessment Start Date | The date the risk assessment for this relationship was started. | Required if importing existing relationships Format: mm/dd/yyyy |
Legacy Relationship - Assessment Completion Date | The date the risk assessment for this relationship was completed. | Required if importing existing relationships Format: mm/dd/yyyy |
Legacy Relationship - Assessment Review Frequency | How often/when the relationship should be reassessed. | Required if importing existing relationships Review Frequency options - Quarterly, Semiannual, Annual, Two Years, Three Years. |
Legacy Relationship - Recertification Type | How your relationship will be re-certified in the future. Important Definitions: 1) Manual - As the recertification date approaches, we'll send you reminder emails to reassess this relationship. You will need to start the recertification process yourself by starting a new assessment within the VISO Trust platform. 2) Automatic - On the recertification date, we'll automatically reach out to the third party and re-certify this relationship using existing artifacts and updated information. 3) None - We will not automatically re-certify and you will not receive reminders around re-certifying your relationship. | Required if importing existing relationships Recertification Type options - Manual, Automatic, None |
Legacy Relationship - Automatic Artifact Updates | If you would like to turn on automatic artifact updates. 1) Yes - We will track the expiration period of the artifact as determined by the type (ex. SOC 2 Type 2) and automatically follow up with the third party for a new artifact of the same type. 2) No - we will not automatically follow up with the third party if an artifact expires. | Required if importing existing relationships Options: Yes / No |
Legacy Relationship - Assessment Inherent Risk | The risk level prior to evaluating the controls the third party had in place. | Required if importing existing relationships Risk Level options - No Context, Low, Medium, High, Extreme |
Legacy Relationship - Assessment Residual Risk | The risk level after the assessment was completed for the controls in place using the information/documents provided by the third party. | Required if importing existing relationships Risk Level options - No Context, Low, Medium, High, Extreme |
Uploading your import spreadsheet
Once you have all of the required information entered in the spreadsheet, please review the below information prior to submitting your import spreadsheet on the 'Import Relationships' page to avoid any errors that may occur.
- Do not modify the headers in the VISO import templates
- All required fields must be filled out. Please refer the table above for more information.
- Formulas are not supported in our import templates.
- Do not rearrange or delete any columns.
