hello i'd like to talk to you about vendor risk management one of the four applications illustrated here specifically i'd like to walk you through how you can use our third-party security score provider integration to more accurately tier your vendors you have a solid knowledge of the type of internal information your vendors have access to which will help you identify critical or tier one vendors however information such as security performance breaches security incidents is difficult to know that's where security score providers add value we'll talk through how we integrate with two of the providers and how to set up continuous monitoring this lets you stay on top of changes and automatically react if scores drop and a new vendor assessment is warranted before we go to the vendor risk dashboard let's look at the security providers here we currently have three providers your internal metrics bid site and security scorecard you can find the bitsight and security scorecard applications on the servicenow store each provider specifies a range for the security scores provider scores will be automatically populated through the integration depending on the score provider they will use the vendor list from the vendor table or you may be required to identify the vendors you wish score is provided for the dynamic vendor dashboard is the best place to get an overview of your vendor risk program you can see how many vendors are performing tiering assessments or risk assessments and break them out by risk rating you can also see open issues by priority and a donut chart to classify vendors by tier you can get more detailed information by clicking on any of these reports let's click on vendors and select a vendor from our vendor catalog and look at the vendor record with out-of-the-box capabilities you can easily import vendors into this list you can see the standard information on this vendor record the vendor tier has been calculated as high the security score is on 800 and we're using security scorecard as a provider there's a related list with historical scores and scores from different providers you can use your security scores to manually adjust the vendor tier it will not be automatically adjusted then you can manually send out a new vendor risk assessment if it's warranted you can also use score based submission rules to automatically send out a vendor risk assessment if there are significant changes in the security score let's look at this rule the rule will be triggered if the vendor score drops by 10 percent or more we've identified security scorecard as a provider if you don't enter a provider you will get a score from your primary provider we've also identified a specific tier to be subjected to this rule in this case it's the high tier vendors but this is optional the assessments template section lets you identify which vendor risk assessment will be created for your vendor if the rule is triggered and the check box allows you to automate the process so that if the rule is triggered in this case a high risk security assessment will be automatically created and sent to all affected vendors here we'll keep the check box unchecked or false let's go back to our risk scores you can see there is a provider score and a security score which have been normalized on a zero to one thousand point scale so you can more easily compare different provider scores in this case you can see that eighty has been normalized to eight hundred let's create a new score for our vendor that is ten percent less than the current score then we can see how our rule works you'll notice a new message on top of the screen that says a new assessment has been created based on a security score update because we did not want it automatically sent out it is currently sitting in the draft state we can see this auto-generated assessment in the vendor record under the assessments related list under notes and comments we can see that a score change rule has been triggered an assessment created based on the submission rule the high risk template is listed here the assessment template dictates which questionnaires and document requests will be used this assessment is kept in draft state because we didn't want it automatically sent to the vendor we can now manually submit the risk assessment to the vendor which will show up in their vendor portal if we had selected true for the auto submit to vendor in the submission rule the assessment would have already been sent in that case when we selected this assessment in the assessments related list we would see it as submitted to vendor in the life cycle you and your vendor can collaborate within the vendor portal where all communications will be consolidated and tracked by integrating with third-party security score providers you can extend your knowledge of the risks posed by your vendors this additional data allows you to fine-tune a vendor's tier if necessary to more accurately reflect the true risks posed by the vendor you can also speed response by electing the auto submit vendor risk assessments based on security score accurately tiering continuously monitoring and properly assessing your vendors reduces your risk of a breach or non-compliance if you would like to learn more please visit the product page on servicenow.com