Accelerated Vendor Due Diligence

The Faster, Better, & Less Expensive Vendor Review Solution

Vendor Due Diligence and Vendor Risk Management can be Challenging

vendor risk management is challenging
 

Our proprietary Accelerated Vendor Due Diligence (AVDD) tool is a paradigm shift in the vendor risk management (VRM) industry. With AVDD, you don’t need to continue down the same problematic path to vendor due diligence.

 

 

How Our AVDD Tool + Our TPRM Experts Solve Your Vendor Due Diligence Challenges

 

accelerated vendor risk management benefits

 

We have helped thousands of companies manage vendor due diligence and third party risk over the last 20 years—this is “what we do.”

Schedule your AVDD Demo

 

Our Proven Process for Vendor Due Diligence Reviews (completed in minutes, not hours)

Step #1: Generate an inherent risk score for each vendor based on their unique context.
Step #2: Dynamically generate vendor and internal questionnaires specific to the risk.
Step #3: Import the vendor and internal completed questionnaires and measure residual risk.
Step #4: If necessary, give vendor contextualized, actionable recommendations.

Step #1: Generate an inherent risk score for each vendor based on their unique context.

Each Vendor’s Risk Is Different… So treat them accordingly.

  • Different vendors have different modes of access to data (e.g. onsite, remote, SaaS).
  • Different vendors have access to different types of data (e.g., PCI, PI, PHI, IP).
  • Different vendors have access to different quantities of data.
  • So it makes sense to generate a risk assessment/score that you can use as the basis for a unique questionnaire that is specific to each vendor’s risk…

Step #2: Dynamically generate vendor and internal questionnaires specific to the risk.

Create Questionnaires That Perfectly Match the Risk Each Vendor Poses.

Check out these examples:

  • We need a questionnaire to focus on HR controls for janitorial and other vendors with physical but no logical access.
  • We need a questionnaire to focus on physical, host, network controls, and availability for hosted servers.
  • We need a questionnaire to focus on physical, host and network controls, availability, IAM, and application security for SaaS providers.
  • Are our internal physical security controls (e.g., guards, video, electronic badging, data center controls) sufficient to monitor/control/log janitorial and other vendors with physical but logical access?
  • Are our privileged user account management, network segregation, asset management, security logging, and incident response controls sufficient to ensure secure and complaint cloud use?
  • Are our privileged user account management, endpoint protection, user authentication, data classification, and data leakage protection controls sufficient to ensure secure and complaint use of SaaS services?

Step #3: Import the vendor and internal completed questionnaires and measure residual risk.

Use the Maturity of each Vendor/Internal Control to Calculate Your Residual Risk

  • A 0-5 score for each control determines how much it mitigates each risk identified.
  • Compare the remaining (residual) risk to an acceptable risk that you specified for that vendor.
  • Generate a vendor summary report which specifies any additional risk treatments necessary to achieve an acceptable residual risk score.

Step #4: If necessary, give vendor contextualized, actionable recommendations.

Using auto-generated reports, verify if the controls implemented meet or exceed the control level required to reduce risk to an acceptable level.

Where necessary, communicate what is required (e.g., “Improve the control System Hardening Through Baseline Configurations (CFG-O2) from its current maturity of 2.0 to at least 3.0 (per the provided maturity guidelines).”)

Accelerated Vendor Due Diligence (AVDD) from Pivot Point Security

Break the Law of Constraints

Faster

Automated due diligence reviews can be completed 15 minutes. Human validation of the artifacts and questionnaire typically adds 1-8 hours.

Better

Properly contextualizing risk at the start focuses the vendor, vendor relationship owner, and reviewer on those controls that are most critical to managing risk, resulting in a more accurate validation of the net security of the total solution.

Less Expensive

Leveraging automation to correctly size and focus due diligence reviews means they get done in a shorter timeframe and with less time investment by your team, at a significantly lower total cost (and yes, our marketing guy wasn’t happy with our use of the word “cheap” :>))

You can continue to grind through your vendor reviews, or you can power through them with AVDD from Pivot Point Security.

Schedule your AVDD Demo

 

Frequently Asked Questions

  • How is AVDD offered?

PPS offers AVDD as a managed service (consultant supported) and will soon offer AVDD in a SaaS model and as a JSON API for tool integration.

  • Is AVDD Secure?

AVDD runs in AWS and is ISO 27001 certified. More importantly, AVDD doesn’t store your data.

  • Is AVDD proven?

PPS has used ARM (the underlying Risk Assessment engine) as an internal service offering for 200+ risk and vendor assessments over the last 2 years with excellent results.

  • How do you “interact” with AVDD?

You click a URL and then enter the required inputs (data types, impacts, regulations, and acceptable risk), generate your questionnaires/assessments, and upload your completed questionnaires.

  • How Does ARM (the backbone of AVDD) work?

Accelerated Risk Management (ARM) is an expert system with a predefined library of vulnerabilities and threats. ARM is able to accurately quantify the likelihood and impact of every data type you process. It literally calculates every potential risk in your risk universe.

  • Has ARM been validated?

ARM has been through dozens of successful ISO 27001, SOC 2, HIPAA, NIST, and SEC audits. It fully meets the requirements of major risk management frameworks like ISO 27005 and NIST SP 800-30.

  • How does ARM compare to other risk methodologies?

Like OCTAVE, FAIR, IRAM, 800-30, and ISO 27005, ARM applies a standardized model to risk analysis; it takes an automated, information-centric (not asset-centric) approach.

  • Is ARM qualitative or quantitative?

ARM provides both qualitative (Low/Medium/High) and semi-quantitative (0-100) mechanisms to analyze risk. (We prefer the latter approach as it provides greater granularity in risk management decisions).

  • What is “inherent risk”?

Inherent Risk = Business Impact of Threat Exploiting a Vulnerability * Probability of That Impact Occurring (for each data type you assess, you will add an impact criterion)

  • What is “residual risk”?

Residual Risk = Inherent Risk – Remediation for Current Controls Implemented that Reduce that Risk: ARM adjusts the amount of remediation based on the maturity of each control.

  • Does ARM support key information security standards?

ARM considers 800 controls across 125+ security and privacy standards (ISO 27001, SOC 2, HIPAA, NIST 800-171, CMMC, PCI, etc.)

  • What file format does ARM use?

ARM generates all questionnaires and risk assessments in Excel to make them as easy to use as possible.