DVV Solutions

Vendor Risk Management

Vendor Risk Management (VRM) - offers SaaS Software to automate, centrally manage, create a workflow process and remediate risk associated with supplier access to client data, networks or other use cases around the client-supplier relationship.

Features

  • Organises Vendor/Suppliers respective risk assessment information into a secure repository
  • Tier Vendor/Suppliers by Risk to the agency/organisation
  • Map Risk Controls to Vendors/Suppliers
  • Risk Score Vendors/Suppliers
  • Services Framing
  • Centrally manage multiple risk assessment questionnaires or surveys
  • Automate and Schedule questionnaire response and evidence collection
  • Validate questionnaire evidence accuracy and supplier response
  • Full audit trail of risk assessment process
  • Analytics and reporting on Vendor/Supplier risk to the organisation

Benefits

  • Allows organisations to make better decisions
  • Scale a Vendor Risk Management Program for all sized organisations
  • Increase Vendor/Supplier risk audit accuracy and response times
  • Increase capacity of Vendor/Supplier risk program to assess ALL vendors
  • Reduce operational/FTE costs to manage vendor sourced cyber threats
  • Automate scheduling of vendor risk assessments and remediation processes
  • Manage threat remediation controls for riskiest vendors
  • Increase productivity of risk professionals refocusing on vendor cyber controls
  • Complete vendor assessment reporting across an entire portfolio of suppliers
  • Integrate Third Party Risk software with existing GRC platforms

Pricing

£500.00 to £1000.00 per licence per year

Service documents

G-Cloud 9

568439282485001

DVV Solutions

Sean O'Brien

0161 476 8700

sobrien@dvvs.co.uk

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Vendor Threat Monitoring,
Vendor Threat Monitoring Snapshot
Cloud deployment model Private cloud
Service constraints Users must be able to access the public internet to gain access to the service
System requirements Access to the internet via browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Contract dependant
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Very little support is required with this service. Telephone support is provided on a 9am to 5pm, Monday to Friday, except public holidays in England. This level of support is included with the subscription cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Most deployments require a Statement of Work to help implement existing process into the Prevalent application. Each SOW includes knowledge transfer to hand the application over.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats .Docx
End-of-contract data extraction Upon notifying Prevalent of termination, all reports and attachments will be provided to the client for sign off.
End-of-contract process At the termination of a contract all access to the SaaS software will be revoked to use the software and the clients will have upto 60 days to export all data from the repository before data is deleted. A series of notifications will commence to remind clients to export all relevant data.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility Our service is accessible through any standard web browsers used to access internet websites
Accessibility testing Prevalent uses all standards approaches to deliver our software via web access including for assistive technologies
API Yes
What users can and can't do using the API Push & pull data from the service
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation We do not offer software customisation. The platform is designed to be configured for the vendors or suppliers the organisation wants to create point-in-time risk assessments and remediation controls around.

Scaling

Scaling
Independence of resources AWS platform is constantly monitored allowing on demand resource to be appropriated.

Analytics

Analytics
Service usage metrics Yes
Metrics types VRM can provide benchmarking analytics around the portfolio of vendors and their respective potential risk to the business, reporting on the riskiest vendors, responsiveness to remediation requirements and cost analytics around vendor risk management
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold Prevalent

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Our Software allows for full export of client data and we can import custom or standardised risk assessment questionnaires or surveys.
Data export formats
  • CSV
  • Other
Other data export formats Word & attachments in standard form
Data import formats
  • CSV
  • Other
Other data import formats Restricted based on console settings

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 24 hr. RTO, 8 hr. RPO per standard agreements. Shorter durations available for a fee
Approach to resilience Global load balancers in front of AWS with at least 2 tier 4 geographically divers data centers.
Outage reporting Yes, clients are notified in the event of any outages by email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Available for conversation with mutually agreed upon NDA
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 6 months and 12 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach We look to use advanced technologies along with industry considered best practice.
Information security policies and processes Aligns to ISO27002

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Available for conversation with mutually agreed upon NDA
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Available for conversation with mutually agreed upon NDA
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Available for conversation with mutually agreed upon NDA
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Available for conversation with mutually agreed upon NDA

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £500.00 to £1000.00 per licence per year
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑