Accelerated Vendor Due Diligence

The Faster, Better, & Less Expensive Vendor Review Solution

Vendor Due Diligence and Vendor Risk Management can be Challenging

image 27 min

Our proprietary Accelerated Vendor Due Diligence (AVDD) tool is a paradigm shift in the vendor risk management (VRM) industry. With AVDD, you don’t need to continue down the same problematic path to vendor due diligence.

How Our AVDD Tool + Our TPRM Experts Solve Your Vendor Due Diligence Challenges

image 27 1 min 1

We have helped thousands of companies manage vendor due diligence and third party risk over the last 20 years—this is “what we do.”

Our Proven Process for Vendor Due Diligence Reviews (completed in minutes, not hours)

Step #1: Generate an inherent risk score for each vendor based on their unique context.
Step #2: Dynamically generate vendor and internal questionnaires specific to the risk.
Step #3: Import the vendor and internal completed questionnaires and measure residual risk.
Step #4: If necessary, give vendor contextualized, actionable recommendations.

Step #1: Generate an inherent risk score for each vendor based on their unique context.

Each Vendor’s Risk Is Different… So treat them accordingly.

  • Different vendors have different modes of access to data (e.g. onsite, remote, SaaS).
  • Different vendors have access to different types of data (e.g., PCI, PI, PHI, IP).
  • Different vendors have access to different quantities of data.
  • So it makes sense to generate a risk assessment/score that you can use as the basis for a unique questionnaire that is specific to each vendor’s risk…

Step #2: Dynamically generate vendor and internal questionnaires specific to the risk.

Create Questionnaires That Perfectly Match the Risk Each Vendor Poses.

Check out these examples:

  • We need a questionnaire to focus on HR controls for janitorial and other vendors with physical but no logical access.
  • We need a questionnaire to focus on physical, host, network controls, and availability for hosted servers.
  • We need a questionnaire to focus on physical, host and network controls, availability, IAM, and application security for SaaS providers.
  • Are our internal physical security controls (e.g., guards, video, electronic badging, data center controls) sufficient to monitor/control/log janitorial and other vendors with physical but logical access?
  • Are our privileged user account management, network segregation, asset management, security logging, and incident response controls sufficient to ensure secure and complaint cloud use?
  • Are our privileged user account management, endpoint protection, user authentication, data classification, and data leakage protection controls sufficient to ensure secure and complaint use of SaaS services?

Step #3: Import the vendor and internal completed questionnaires and measure residual risk.

Use the Maturity of each Vendor/Internal Control to Calculate Your Residual Risk

  • A 0-5 score for each control determines how much it mitigates each risk identified.
  • Compare the remaining (residual) risk to an acceptable risk that you specified for that vendor.
  • Generate a vendor summary report which specifies any additional risk treatments necessary to achieve an acceptable residual risk score.

Step #4: If necessary, give vendor contextualized, actionable recommendations.

Using auto-generated reports, verify if the controls implemented meet or exceed the control level required to reduce risk to an acceptable level.
Where necessary, communicate what is required (e.g., “Improve the control System Hardening Through Baseline Configurations (CFG-O2) from its current maturity of 2.0 to at least 3.0 (per the provided maturity guidelines).”)

Accelerated Vendor Due Diligence (AVDD) from Pivot Point Security

Break the Law of Constraints

Faster

Automated due diligence reviews can be completed 15 minutes. Human validation of the artifacts and questionnaire typically adds 1-8 hours.

Better

Properly contextualizing risk at the start focuses the vendor, vendor relationship owner, and reviewer on those controls that are most critical to managing risk, resulting in a more accurate validation of the net security of the total solution.

Less Expensive

Leveraging automation to correctly size and focus due diligence reviews means they get done in a shorter timeframe and with less time investment by your team, at a significantly lower total cost (and yes, our marketing guy wasn’t happy with our use of the word “cheap” :>))

You can continue to grind through your vendor reviews, or you can power through them with AVDD from Pivot Point Security.

Frequently Asked Questions (FAQ’s)

How is AVDD offered?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

Is AVDD Secure?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

How do you “interact” with AVDD?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

How Does ARM (the backbone of AVDD) work?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

Has ARM been validated?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

How does ARM compare to other risk methodologies?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

Is ARM qualitative or quantitative?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

What is “inherent risk”?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

What is “residual risk”?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

Does ARM support key information security standards?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

What file format does ARM use?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.