Name: Third-Party Risk Reviews Workshop
Uploaded: 2026-01-28T21:16:06.480Z
Duration: 1 h 2 min 52 s
Description: Third-Party Risk Reviews Workshop

Transcript for "Third-Party Risk Reviews Workshop": Hello, everyone, and welcome to Vanta's third party risk review workshop. My name is Jaquez, and I will be your facilitator today. We're gonna give another minute for those who signed up for the training to actually enter into the room. But in the meantime, if you could, introduce yourself in the chat. Let us know where you're joining us from, and we will begin momentarily. What I'm gonna do is mute myself, but once I unmute, we're gonna get things in motion. Alright, team. Alright. Let's go ahead and get things in motion here. Welcome to those who have just entered into the into the room. Oh, no. I almost said the the closet here. Welcome to Vanta's third party risk review workshop. My name is Jaquez, and I'm the program manager for down market education here at Vanta. And I'm excited to take you through a lot of our great features that we have in our third party risk review feature. Now it was previously it was previously known as our vendor, feature, which within the app, it still says vendors, so definitely keep that in mind. But I'm definitely gonna give you some great tips and strategies on how to use this feature. Now let me check and see who we have joining us today. We have Andrew from California California. We have Casey from Calgary. I think that's a company or maybe a country. I might be off. We have John from Pennsylvania. We have oh, that's it. Okay. Perfect. Perfect. Well, for those who just came in, feel free at any time if you want to introduce yourself. We're gonna go ahead and get things in motion. One way I like to do these trainings is that if you have any questions as we go along, feel free to ask them in the chat. What I'll do is after each section, I will tab over to see if there is any questions, and then we will continue from that point. But, of course, you can definitely save time towards the end, and, I'll stick around to answer anything that comes up. Now one moment as I get my slides to come around here. Alright. There we go. Slow load. Alright. So we're gonna discuss just some of the expectations for this training today. So we're gonna go through what third party risk review management is. Then we're gonna navigate the Vanta platform by, exploring these specific tabs such as your tools that are relevant to vendor management. Then we're gonna perform and manage a vendor review live, and this is where you're gonna get into the core workflow. And, of course, q and a towards the end if you have any additional questions. Now I have one slide that I wanna read out before we actually dive into the product just to give you some insight into what this topic is. So what is third party risk management? This is the process of identifying and assessing and mitigating the risk that are linked to your organization's third party vendors. So these vendors aren't just suppliers. They can include service providers, contractors, or any external entity with access to your systems, your data, or even your facilities. Now why does this matter? Whenever you bring a third party into your operational ecosystem, you extend your trust and potentially your exposure to their controls. Also, you can expose yourself to their security posture in their business practices. So managing the risk is not optional. It's essential for protecting your company's assets, and it also helps you in the long run with maintaining customer trust and meeting regulatory obligations. Now what we're gonna do is hop into the demo environment, and we're gonna discuss this more deeply here. So one moment as I adjust to that tab. Make sure you can see it. Okay. Perfect. Perfect. Now starting off, we are in our vendor's overview page here, and this page functions as a overlook of your entire vendor program. So you're able to see the number of security reviews in progress, which ones are, you know, upcoming and completed. You're also able to see the number of vendors that are managed in your program as well and the different categories that you have within it. So gonna talk about this in the settings, but you do have the ability to categorize your vendors into specific categories, which helps you to evaluate the type of vendors that you have within your organization. You're also able to see the critical risk and high risk vendors. You're able to see your discovery tab, which we're gonna go into next, and how that works. Now before we actually go in and build out these specific segments, right, in terms of those security reviews and, you know, managing those vendors, I want us to take a look at what we call let me deselect here. The discovery tab, which is something that we want you to focus on because this is where ghost vendors appear. Okay? Now when it comes to ghost vendors, these are the tools that slipped in without proper security or compliance review. So once your organization have connected their MDM and etcetera to Vanta, you synced it, you see your company devices and etcetera, now anytime a team member goes onto a specific website, you will be flagged to confirm that this is an approved site. Now one thing I wanna point out is that, Vanta cannot restrict them from going to a website. We just help you document what is occurring so that way you are aware of specific actions that team members are doing, in terms of different software and things of that nature. Now the beauty of this, though, and this discovery tab as a whole is that this is a great space for you to really get some good insight into the tools that your team use. So if you're starting to see, like, for example, maybe Ashby is becoming a very highly repetitive, tool that you're seeing that appears in your discovery tab, you can either, as a organization, consider it by taking it through an entire security review to confirm that their practices are in compliance with your organization policies and procedures, or you could take it through that process and have enough info to bring to your organization to confirm that this tool is not, you know, fit a good fit for this organization. Okay? So either way, going through a security review process is a benefit whether you're gonna move forward with the tool or whether you're not gonna move forward because they're you're developing that evidence you need to prove your point. Okay? But this list here is a list of your ghost vendors. Now, again, remember, Vanta can't stop them from going to a site even if you told them not to or stop using the tool even if you told them not to. So the best workaround for that type of scenario is to either create a company correspondence where you are letting the entire organization know that this tool is not approved and no one should use it. And then the second step that you can take after that is having your IT team block that specific site. Okay? That's that's a good, you know, mitigation plan to prevent, you know, anyone from accessing those specific components. Then from that point, you're able to really control that specific segment of your program. Now if you don't have anything in place where you can actually block sites on your company devices, highly suggest that your organization invest in that. A lot of organizations enjoy that benefit because it protects your, you know, your your customer's data, your client's data, and you don't have to worry about certain tools being assets that you know is a threat to your organization. Okay? So that's just a little bit of insight on how to move forward once you go through the process of examining your ghost vendors. Now you do have some options here when you're looking at your ghost vendors. Okay? The first is and let's just go to we need to see the ones that are needs review. So we're gonna go to state, needs review, and there's options here. Now you can either, number one, ignore, which means, you know, you're just gonna move forward. We don't recommend this option, unless you're certain that this tool is safe. Again, we highly suggest that every single tool or website go through the process, and then you give a full accept or denial. Then you have your if you select these three dots, you have reject here. And this is the option if the vendor has been deemed unapproved and you wish to remove from use. And uh-oh. What just happened here? Let me go back. Perfect. And then you have move to manage vendor. Now this move to manage vendor, this moves it automatically as a managed vendor. So this is, like, almost an option if you choose to ignore. Okay? You're just gonna move it straight to the manage vendor list. You don't wanna go through the process. You know, for for those who wanna do that, you do have that option. But to get it into the security review process, you're gonna select move to procurement. Now once you select that, we select this view button. It's gonna take us to the security review for that specific tool. Okay? Now from this point, you're able to go through the entire process of performing a security review. Okay? Now I'm gonna briefly just show you how this takes place because I think it's good to see what your end goal actually appears to be instead of, you know, just working in with the idea. So once you move it from procurement to the I mean, move it from your ghost vendors to procurement, you're now in a position to examine this specific tool. So you would select security review, and you'll select start security review review to begin that process. Okay? We're gonna select it. And this page here is confirming that this is the evidence that you need from this particular vendor. Now when it comes to the evidence component, I'm gonna show you more about this once we go through our settings. But I wanted you to see just a quick preview of what the beginning stages look like so that you're aware of how this process works. You can even add additional items by selecting the add icon. And then from that point, you can either upload a file from your desktop or you can add a link that has the specific document that you wanna share there. Okay? Now we're gonna revisit this once we complete the settings and etcetera. But I wanted to show you this because the procurement process is where you're vetting this particular vendor. Okay? So keep that in mind. This is where you get that that value point of, you know, building out the context you need in order for you to approve it. Now let me check the chat before we go on any further. What's going on, Jay? Welcome back. You said does the discovery tool work with only the Vanta mobile device manager tool? I believe it works with another component too. I mean, no. No. Not just your mobile device manager tool. Let me let me clarify that. It's not just your mobile device, manager tool. I'm glad you mentioned that. It's also, using, number one, the connected apps that you bring in. So any app where it has to use or preview access points to other software websites. So, you know, again, for example, MDM is the biggest one because the fact that it's one of the ones that accesses all of that data in such a quicker time frame. But then you have let me go to our integration section here to try to find one that I can actually speak on. Because there's various tools here that you can use where that info come from may come from. Matter of fact, IDP is also a for a a a form that can actually have that take place as well. The reason why the IDP is a particular option is because depending on the one you're using. Right? Number one, if you have the Google, the Entra, and I think those are probably the two main ones, that will kind of function as one as well as you can see where it says vendor discovery. And the reason why is because that single sign on that your employee used for that, you know, particular email, it will kinda alert in, you know, Vanta that they have used it on that specific website, which we would consider a tool. So that is another method into how those vendors are populated in the ghost vendor section. But, yeah, it's just it's just certain integrations. They do have multiple interactions or multiple things they can do when once you connect it to Vanta. That's a great question. That's a very good question. Alright, team. Let's go to our settings real quick here. Matter of fact, before we do that, let me show you something else because I think this is important as well. Because there are some people who are you know, they're not really brand new to managing vendors, and you probably have some documentation that you're using already that you wanna, you know, import those current current vendors into Vanta. That can be done as well. Let me show you very quickly here. Now if you select the drop down here and then import vendor, You'll then be taken to our import feature where you're able to download the template to fill out the spreadsheet. And then from that point, you'll see these different columns in the spreadsheet, and you'll just add in that specific information that is necessary for that particular column. Okay? And you'll do that for every single vendor. Now one benefit I wanna point out here is that before you actually import your vendors, I'm gonna take you to the settings section so you can see how you can add in additional fields that will be captured in your template. So the beautiful thing about Vanta, for those who are brand new to this, is that anytime you have a ability to import anything into Vanta, if you go to the settings in any feature where where where that is accessible, you'll have the ability to add in custom fields that will appear in your template anytime you download it. So this helps you save time. It makes things 10 times easier because we're streamlining that entire process. Okay? But that is a possible possibility here for you to import your current vendors. Now keep in mind that when you do import, you can only import a 100 at a time, so you don't want to overdo it on one spreadsheet. If you have more than a 100, definitely segment those out into different sheets, and you should be good to go. You'll just have to upload them one by one. Now let me go back here because you can also manually add in a vendor, and that is done by selecting add vendor, and then you'll have this form presented to you. You simply provide the vendor name, the state that you wanna place them in, which means you can either automatically make them active, right, or you can move them to procurement because they are a vendor that your team is considering. And you're gonna add a new website. This category, just like on a overview page, this is how you categorize where the vendor fits, and this is gonna give you a good overview of the type of vendors that you have, when you view that overview page. You can you have the ability to add in your inherent risk score. So if you consider this to be a critical high, medium, low vendor, you're able to mark that. And when it comes to security owner and business owner, the security owner is the one who manages the entire review process. Okay? They're the ones that's basically running the entire review. The business owner, look at it as the department or the team that needs access to the tool. So they're the one requesting it, but the security owner is the one reviewing it. Okay? And that is how you add a vendor to Vanta. Now we're gonna go to those settings, but I wanna check the chat, see if there's any more questions that appeared. Okay. We're good to go. Let's take a look at these settings here. Now when it come to your settings, there are different components here that you want to pay attention. Okay? And the first one is that questionnaire tab. Now these questionnaires are what you send to assess your, the specific vendor security posture. And I'm gonna show you that by adding or selecting add new questionnaire here, you have some options available to you. Now the first one is your import questions. Now you wanna use this option when you already have a list of questions. So maybe from an internal spreadsheet or a compliance template, what you'll do is select this. And just like our import option and let me put in a and you put three there. You're gonna give it a name. You can add a description if you want to. Select continue. And now from this point, you're gonna download that Excel sheet, and you will provide the question and then the question type. Okay? Now when it comes to the question type, there is different components that you have accessible to you for that. Okay? So that question type, the options is and let me let me get this to load here. There we go. The option is yes, no, or NA, or the specific question requires them just to provide a text written answer. So there's only two specific options that comes with the questionnaire download or spreadsheet here. Okay? So anytime if you have one within your organization, you wanna make sure that the specific questions that you are asking are either yes, no, or n a, or they provide they are requiring them to provide some information to give to you and your organization. Okay? I highly suggest you download the Excel template so you can see it in real time, but it is extremely helpful to prep that entire process. Once you have the spreadsheet completed, you'll simply add it there, and you will go through a review process to confirm that all the specific questions and answer types are correct before you actually bring it to life. Now the other option is we have start from scratch, and this is the option you wanna choose if you wanna build a questionnaire manually inside of Vanta. Okay? So we're gonna select this option here. You have the ability to create your question, choose the answer type, yes, no, NA, or text response, and you can create as many questions as possible. Now once we get to the templates, and I'm gonna show you next, I'm gonna show you how you have the ability to duplicate one of the templates and you can go in and edit the question types to fit more of your organization needs. But this is one method of doing it if you want to use Vanta's internal questionnaire system. Now let's go back to add new questionnaire, and we wanna take a look at these templates here. Okay? Now these options are prebuilt security questionnaires that are tailored for specific scenarios. So just to give you some quick a few quick examples, we have a basic security questionnaire here. This one is a security questionnaire, but the vendor is using AI for their specific services. And then you have security questionnaire, and the vendor is using AI to build their specific services. And then you have a security questionnaire for those vendors who develop AI models. Okay? So this is designed to assist you with the variations of different vendor types when it comes to that procurement process. Okay? Now you'll see as we go to the security review section, if I'm not mistaken, you'll see how this plays a major part into how vendors are scored in your system here. Now I wanna show you very quick. I'm gonna open one up, and I'm gonna show you exactly what I was referencing earlier. You can go in. You can customize these if you would like. You can go in and duplicate it before you customize, and, you know, you're able to get things in motion, make things happen there. Remember, when it comes to our templates, this is something that you can adjust at any moment. Okay? You can make any type of adjustments, any type of edits, whatever fits your circumstances. We create these templates to make things easier for you. For those who are new to creating security questionnaires, these are great starting points to allow you to get to a certain place to where you kinda get a good feeling of what you need to provide in your own personal, questionnaire. So feel free to use it to help scale out and build whatever you are desiring to have. Okay? Perfect. Now we're gonna go back to the other part of our settings. Well, let me check -in the chat to see if we have any questions. Okay. Andrew says I do not see settings under the vendor tab. Can you confirm that you are an admin within your account? The way you can do that is go into your settings here and user permissions, and then locate your name, and you should see a admin by the role. Wanna confirm that here. Yes. You are. Okay. If you are, let's do this. I want you to select this question mark icon up here, select chat with us, and connect with one of our tech reps and see if there is something that is, like, set up incorrectly that they can fix for you in a quick time frame or at least provide you with some guidance on what is occurring. Yeah. Because that should that should not be the case. And let's see here. Just to confirm, is the 100 vendor limit for import per worksheet or is it per workbook? That is a great question. The way to look at it is that, you wanna put it you wanna have it separated based off of just the file because the way you drop the, actual file in and say it's one file, one single file. It's not going to read the tabs. So if you were to create numerous tabs and then you wanted to, you know, then drop that same one back in, it's gonna read the first the direct I almost said file, but direct tab that automates once you actually save a spreadsheet, which is that first tab. So you wanna have separate ones there, to ensure that you're able to get all of that info in. But the beauty is that once you have it all in, you won't have to go through that process again. So it may be a bit tedious when you're importing all those vendors for the first time. But after that, you have an easier method to get that info if you need to pull it out of Vanta in a easy format. That's a great question. And you said, what is one schema? Is that a third party tool that our data touches when we import? One schema. Let me go back here. I think what you're referencing here So I'll type some things else. Okay. I was about to say what's going on here. It's not letting me bypass. Oh, I I see what you're saying. So one schema, that's just the software that we use to help with the bringing the data in. In terms of actually touching your data, I'm not fully a 100% on how that process work. One thing I do know, though, is that when we do use any type of third party tool, they have some strict compliance standards to follow in order for us to use them successfully. So if anything, I know for sure that, they're held to a very high standard, any type of tool that we use to help with our functions. And, you know, well, the guarantee no one can actually guarantee that everything's a 100% proof, but we vet a lot of our tools that we actually use very hard. It's a very tedious process, sometimes from six months to a year because we wanna make sure we have the most pristine and secure tools if we're going to partner with anyone. But, yeah, it's definitely one of those third integrations. I need to check. I I wonder if I think that's my I think that's actually a tool that we we own too as well. I gotta confirm that. And Chase says, Savanta itself is a third party vendor then. Right? To a certain extent, but not really. The only reason why why I say that is because when it comes to most of the tools that we use for certain things, most of the time, we have some type of, either, you know like, in this case, I think this is one that we actually like, it's actually ours. We we found a way to you know, a specific tool that works best to make this, feature possible. But throughout our entire product, everything else is built in house internally. It's just certain, processing systems have a different way of making things possible, which is this tool right here. Let me think here. Yeah. Because even our security trains are done in house. Yeah. That's pretty much it. The only collaboration that I know for a fact that we have is the Vanta dot ai component, but it's definitely one of those extremely secure collaborations because, specifically, Vanta dot ai is designed to learn your program, and we have a specific, you know, I guess you could say protection or wall to confirm that and to ensure that your data does not get, you know, accessed by models that can you know, for example, ChatGPT is accessible to everyone. And there is a specific setting that most people don't realize where your data is basically shared back with ChatGPT, which then ChatGPT can use it to, you know, educate other people or, you know, teach other people, answer specific questions. At Vanta, that is not possible. That is a very strong wall. It's only your program you're gonna learn. It's gonna learn and master, and it's not gonna speak to another program within Vanta. Yeah. We do a heavy vet process for things like that because we wanna make sure everything's completely secure. These are great questions. Great questions. Alright, team. So let's go to oh, we're still talking about those tabs here. Let's go ahead to our settings. We're gonna go back here. So this is your in app questionnaires. Now this is gonna play a pivotal factor pretty soon. Okay? I'm gonna show you. Up next is inherent risk rubric here, and this right here defines the logic that Vanta will use to assign those risk scores. So remember, this is based on your vendors, on what they do, how they interact with your systems, and the rubric is broken down into categories called dimensions. So each dimension contains attributes that you're able to customize. Okay? So if we were to select edit this rubric, we're able to go in here and update this to fit our program. Now out of the box, you can leave it as is. It's extremely beneficial as is if you're brand new to this entire process. Matter of fact, if you're brand new to everything about security and compliance, one tip I'll give you is out of the box, just leave it as is. And as you learn what your organization needs, feel free to adjust over time. But for those who've been running a very robust program, feel free to go in and edit these. Okay? So you have different components here that you can adjust. Now when you take a look at the attribute here, you're able to see I mean, not the attribute. This is the dimension here. You're able to see that this section can be edited. If we were to select this pencil icon, we can change the name of this section and you can also disable it if necessary. If we select the drop down here, we're able to see all the attributes inside of here. Now each of these are ones that you can adjust over time if necessary. You can also add some if necessary. Okay? And if you were to add it, you just need to provide a name for it, of course, enable it, give a description, add the type of scoring you want the specific one to have, and you wanna choose where you want to map this towards. So remember, this is how you categorize your tools. So based on specific categories here, we'll determine the type of scrutiny you're gonna take this vendor under, which is not not a negative scrutiny. Let me make that clear as well. That you're gonna take them under depending on the type of data they need to pull here. Okay? So we know, again, cloud monitoring, high. You know what I mean? Things of that nature. But whatever you want your program to be, this is where you're able to customize it. And then the same info, you can go into these and make the same adjustments. Okay? So you can choose, you know, when it comes to customer data, which vendors will be considered high. In this case, we have cloud provider, data storage, customer support. Okay? You're able to also, you know, go into your medium categories and your low categories. You can create new high categories if necessary, but you have that full ability. And, again, remember, each of these treat these different treat these different dimensions as like folders. Okay? So depending on how you have your program set up, you want to ensure that you're representing a good type of review process for your vendors to ensure that you're bringing in quality vendors that meet and understand or even align with your current business practices. Okay? Now once you make adjustments on any item here, you're gonna see the changes adjust on this side as well. And if you need to after, you know, let's say you messed up, you've got so much going on, you can simply reset it back to default and you're good to go. Now I wanna go into security review rules because this ties into that and it ties into your questionnaires because this is how you're gonna see the requirements that each vendor must have or must provide depending on their score. So for example, when we took a look at that that vendor when we first came in, right, which was the what was the name? I think it was data Elastic Cloud. That's what it was called. Elastic Cloud. Elastic Cloud. It was considered a high inherent risk score vendor, which means since it's a high inherent risk score vendor, it will have to meet these qualifications in order for it to be fully vetted. And that is as to provide us with a SOC two report, It has to complete the Vanta questionnaire, and then we're gonna have them reviewed every twelve months. Now in reality, twelve months, it would probably actually be six months because of high and critical. You wanna make sure you're consistently checking on on them checking up on them to confirm their practices are still in alignment. Let's take a look at this one just so you can see it. So for example, this critical one, most critical vendors, you want to ensure you fully vet them. Okay? You wanna get that SOC two. You wanna get a security questionnaire and penetration test report, data processing agreement, public portal, or website just so you can have as much info as possible to confirm their practices, confirm how they use your data. Okay? You can even choose the questionnaire you want them to have. Okay? Now I'm gonna show you the benefit of all this once we get to the actual process and you're gonna love it. And then, of course, you can update the frequency. The shortest you can do is every six months and the longest you can have is one where it has no requirement, no end date. Now when you score your vendor I mean, when you categorize your vendor and somewhat score them, this is where the options in terms of what they need to provide will be generated. Now below here, we have your custom resources type. Now this is a fairly new feature here, but this is where you're able to add specific resources that you wanna offer for during your security review. Okay? This is what will appear in that listing that we saw previously, and I'll show you again once we get there. Now this automation section, this is gonna be extremely helpful. And I wanna speak on this very quickly because though these are optional, this is gonna save you and your vendor a lot of time when you turn these on. Okay? Because when you turn this one on, it'll automatically ask vendors for evidence. Okay? So every thirty days before that security review, when you have them set up on that annual or six months, they're gonna receive an email where you we're requesting from them information to go ahead and get that in process. And then the auto fill, those vendor answers, this is gonna be extremely helpful because whatever documentation that they give to you, that they upload, it'll go ahead and fill out those specific questions within the questionnaire. So they don't have to actually go in and re answer those specific questions. They'll only have to answer questions that the documentation, the policies did not address. Then we have the custom vendor fields. Let me check the chat very quickly, though. Let me see if have any questions. Oh, we do have one. No. We have a few. Let me see. John said, that is a question I was asked when I was sent out a security review. They asked if Vanta can see their response or uploaded documents. I told them that Vanta is just a platform we use but does not have access to any of their information. Can you confirm that is correct? Now what information and you said they asked Vanta to see their responses or upload documents. So if you're talking about okay. If you did a vendor review in Avanta, the way the process is working, I'm gonna show you that whole portal too. The vendor has a portal they have access to. And in that portal, before they can even go to the questionnaire, they have to upload documents. And whatever documents you require for that vendor, once they upload it once they uploaded every single document or at least accounted for the ones they have to upload, then the questionnaire will open up. Okay? Now if their documents that they've uploaded answered all of those questions in security questionnaire, then when the security questionnaire opens up, there will be nothing for them to provide. Okay? But it does scan the information to fill out those fields in the security questionnaire. Okay? But when you say access to it, whatever they upload, it does have access to that information, but it's only for that security review. So if that's their concern, it's definitely in a safe place because it's used in a way where we're just trying to vet their info. And this is the reality of the entire scenario too. If you go to even chat GBT or OpenAI's trust center, Amazon trust center, all of this info that you need to vet them is publicly online on purpose. Okay? Because, again, that information is something that we legally must know in terms of what they're gonna do with our data, what is the purpose of their business. All these different things are really protecting you as the consumer, right, to confirm that their practices are legal and are in compliance. Okay? So if they're concerned about that, I might be a little worried because, you know, they they should be open to share that info because that is something that every organization needs to know in order to understand if their if your own organization data is gonna be safe. I I have one another example too. Before this, I used to work at Calendly, and we we heavily use Grammarly at one point in time. However, Grammarly is not the type of organization that will automatically delete your data if you were to use Grammarly on different sites within company devices. So it logs every single keystroke. And, you know, just so happens, you know, different, you know, data breaches occurred, and it put a lot of information out in the web. Right? Because they don't go in and, like, what you know, wipe it out. They don't have a period where, you know, it just automatically deletes all that data, and they won't put up a wall a wall for your organization. They're gonna require, you to find a different tool to make that possible. So we couldn't use it. We had to stop using that specific tool because their their practices were, putting the company in jeopardy. So it's like things like that, but we didn't find that info out until, you know, we got access to that trust center, those specific documents, and then we filled we filled those questions to their security team, and that was the end result. Now their practice might have changed by now. That was, you know, a long time ago. But definitely keep that in mind. You wanna make sure that the info is being read effectively. And Jay said, I think Vanta has read access to some things, and it does auto collection of evidence, for exam yes. Yep. Spot on. No. You're completely correct. Yep. It's completely correct. Completely correct. And remember, it's like you have it's like your program because, you know, you're using a software. Right? It's like your program, your specific Vanta instance is walled and gated. Okay? When you allow something publicly to be displayed in terms of, like, for example, trust center feature, if you have that, it's gated as well because you have to approve the policy before it can even be presented to any customer within your trust center. There's different processes you have to go through in order for that piece of documentation to be publicly accessible. And, let's see here. Duran says, can we create our own custom vendor categories? Yeah. So that is impossible. I had that mixed up with our risk feature because in the risk feature, you can. The vendor, no. We keep it as a specific segment. However, I do see in another test environment, I think a couple weeks ago where they are trialing out this feature. So, hopefully, it actually goes all the way through and they make it possible. I think we got a lot of feedback about that, but that's a great question. I'll add your, request to that feedback form that feedback segment. And Jay said, are any of the features you are describing subscription dependent, not available, limited for essential or plus, etcetera? Yeah. If we're talking okay. Trust center wise, I think that's I don't know if that's a add on fee. We're far removed from the sales process. So the plans, we are like we're we're we're probably just as, you know, question, you know, at which plan is which. But I believe Trust Center is still an add on that you have to get. I don't think it's part of a different segment. I could be wrong. But one moment. Let me check something real quick. Let me verify one more thing here and see if I can actually see it. Because maybe the trust center is included in a specific plan. Oh, it is. Okay. Yeah. It's in the it's in the yeah. So if you have the professional plan, you have access to that trust center and different let's see. Yeah. You have access to trust center. You're able to create a custom test and automations and that sort of thing. But what I I referenced before, the only thing that is outside of, you know, I'll say that is not accessible was probably the trust center because everything else I spoke on is something that you can't access. It's something that you can't do. Yeah. The whole security review process, you're able to go through that. Hopefully, if you're not able to see anything in here vendor related, then that that would definitely confirm that you're not on the correct plan. And you can easily just select that question mark and reach out to our support team, and they can definitely get things in motion for you. But I do highly suggest check out our trust center feature. I think you can actually schedule a demo by reaching out to our support team. I believe they still have that going, but that's something that is extremely helpful. And you said I think questionnaire automation is a premium feature. Questioner automation. Oh, that AI component. Is that a premium feature? Let me check here. Nope. It's a plus. It's a plus feature. It's not only essentials feature, but you can purchase it as an add on, but it is accessible on the plus feature. So if you do have plus, essentials is our first plan plus and then professional. Of And, course, you have enterprise. But, yeah, you have the plus plan, you can access that. Yeah. This is a great question. I'm learning that y'all are asking these questions for the pricing and plan here. Alright, team. So let's go through I think we got one more tab here. Yeah. We do. Oh, no. We got two more. Let me discuss this very quickly. Custom vendor fields. If you wanna capture additional information within each vendor, this will basically show up as a side category within the vendor profile. So whatever info you wanna capture here that is key for your organization, definitely add that specific field here. One other tip is that I highly suggest you don't have, like, over 10 fields here. I think five is probably a good max because it could become heavy text dense when it comes to each vendor profile. Now if you select add custom field, you're able to give the field a name and then we have field types. So if you want this to be a question and you're gonna provide some type of text, you'll choose that option. If you wanna do multiple choice, you can make that possible as well. If it is a number, you can add that in. And if it's a date that you're referencing, you can definitely add that in as well. Okay? Now this intake form, this is very new. K? This intake form feature. Now the benefit of this form is that it makes it easy for managing those third party vendors or, you know, when you're going through the procurement process, you're able to map fields from this form to a vendor profile. Okay? Now the first thing you're gonna see on this page is you just have a simple button. But when we select this button here, you're able to see a lot of customizations that can take place here. Now you have your form outline on the left hand side, and this is gonna showcase all of your questions that you have listed in any sections that are there. And then on the right is the actual editing and, you know, form content, And this is where you create your question. You can preview how it will look, that sort of thing. And from that point, move forward. Okay? So this is this is basically a good tool to use that we've recently released where you're able to vet vendors or have them go through a intake form, which can then map those fields to the vendor profile. Let me show you very quickly here. So if you were to here we go. If you were to select that plus icon, we could actually map this to a vendor field. And once we select that, we'll just choose a specific category that we want this to go to which represents the field, and then you're good to go. Okay? So there's a lot of creative things you can do in this specific area. We'll eventually have a more dense training on this to where we can actually go more in detail, but this is a fairly new feature. The other component is that you can also add in your terms and acknowledgments before the vendor signs off on that completed form, which also saves you time and any type of, you know, policy requirements that you have in place when it comes to vetting or importing or intaking a specific vendor. Definitely play around this feature. It's a great tool to use, but we're gonna have more in-depth training on this pretty soon. Alright. So let's go back here, and we're gonna begin that vendor review process. Okay? Let me check the chat. See you have any questions. Jump out. No problem at all. You're good to go. Jay said, should we include contractors like a CSO or a field CTO as part of vendor security review process? Yeah. That's completely up to you. Now one way I will one method or let me give you a couple methods here that we've seen. Usually, when it comes to vendor vetting, you have a procurement team or whoever has access to, you know, the funds or the, you know, distribution of funds. You'll wanna have them in charge of this area, And you wanna have a key person who who has the final say so in that specific department because, again, they're more into the concept of what the budget is and where things stand. Also too, usually, the procurement department or procurement person, they're more familiar with what each tool must have in order for it to be compliant with your organization. So that's one way to look at it. Now if your team is if you don't have a procurement department and you just have a security team, I would I would say it'll be a partnership process because security don't usually have access to finances. And maybe what can happen is the security team handles the security review process. And then if it is approved, it's sent over to the finance team to then begin any negotiations. But this is a great way just to, you know, really get the process going. So, for example, say you have a department that's looking at a specific tool. As they're going through the vetting process, and let's just say they have a strong, you know, attraction to that specific tool, you can then tell them to go ahead and put it in the security review process so that way you can at least confirm that it's worth them continuing the entire process. And then if you you know, everything's approved, then from that point, you can go ahead and, you know, forward it to finance while they're still trying to check off everything, and then finance at least has enough info to even begin a great negotiation process. Because, of course, you know, we don't wanna pay, you know, the full x or the first number. Right? We wanna make sure we got some type of negotiating power. And the security review will really help leverage that as well. So you'll have some type of way to really talk the price or the numbers that you want to because your review process either pointed out specific things that, you know, it might not be concerning, but it's worth, you know, bringing up as a negotiation point. And from that point, you know, close the deal based off of what your organization, you know, wants to move forward with. So that's where I see some great benefits in, you know, using that. But, yeah, the second one, I think, is a great option. But if you have procurement team, it's an awesome option because they're already in control of the money. So they go through the review process. They know what we're budgeting yet budgeting yet. And then from that point, they're pretty good at negotiating in terms of getting those numbers the way you want it to go. And they're gonna find some good things to negotiate on. Alright, team. Where are we at? Okay. Ten minutes. We're gonna make this work. So let's go back to that vendor we were looking at. Right? We're gonna go to our security reviews, and we're going to locate that specific vendor that we brought over. Let me just deselect this. We're looking for Elastic Cloud. So let's type this in. Let me deselect the state, and let me go to all here. Oh, no. No. No. It's still in vendors. My apologies. Like, yeah, I forgot they changed this around. So procurement stays in vendors, and then once the security review start, they'll be in security review. So we need to find that specific vendor in this section here, procurement. Yeah. I forgot. They changed that layout a month ago. I'm still trying to get used to it. Elastic Cloud. Perfect. We're gonna select it. We're gonna go to security reviews. We're gonna select start security review. Now remember, based off of that inherent risk score, since it was high, they have to provide us answer to that questionnaire and then the SOC two report. Okay? And what we're gonna do here, just so I can show you something in real time, is I'm going to add Vanta's trust center. Oh, let me h t t p s. Let me go ahead and fill out the first thing first. Because I wanted to auto plug in things, and I don't think this vendor actually has all of that. And we're gonna put trust page. We'll leave that as is. Description, we're gonna leave it open. Select save. And remember, by adding in that trust center, it's gonna automatically generate specific answer to some of our security questions. Now we wanna make sure these AI features are turned on. Okay? And we wanna make sure reminders are turned on because we wanna make sure these vendors are able to be notified when specific things are required on their end. We're gonna go ahead and start that security review. Oh, before I do that, let me show you something. Now remember those additional fields I told you about? Those custom fields will appear here. So that's why you don't wanna overload it because this can be an extremely long section here. Oh, due date is an option. So if you have a specific date depending on how your team does security reviews, you can put a date in place here, and you'll be good to go. I'm just gonna put thirty first to have something. Okay. Don't know why that happened. Alright. Start security review. I am in our company's test environment where every one of our team members are in here, and they're purposely setting things up a specific way. So just keep that in mind. Now because we had specific things in motion, right, in terms of that trust center, you see where Vanta AI there we go. Vanta AI is creating a summary, and it is looking at certain things. So it's running actions in real time. It's examining that trust center. It's trying to find info that is necessary in order for us to complete this specific review here. Okay? Now let me check here. Let me see what we got going on. Okay. Here we go. So Vanta dot ai is still looking, but if the answer was generated here, right, which here we go. Perfect. We have an answer. It provided us the name of the application or service being provided. It gave us the name of the actual software. Okay? Now let me go back because we see there's more. There we go. Now we're seeing that full pull here. Okay? Now remember, keep in mind that we did add in Vanta's trust center because I wanted to show you how it would work because a lot of large organizations such as AWS, such as Google, Microsoft, etcetera, they have public trust centers. And just by adding in their trust center link, Lanti AI can do its job and pull those resources for you. Now you're gonna notice how beneficial and quick this is. Okay? So in in terms of questionnaire, see this option. Now let me go to another question because I wanna show you how this work. Because remember, it needs you to review the answer because it's not just AI, you know, only, but, you know, it's AI first. We wanna make sure that you know it's not AI only. So you wanna check it to confirm that this is correct. And it always provides you with its sources too. So you're able to see exactly which part of the trust center it pulled this info from, and you can visit these links if you would like. Now if you approve it, we're gonna select this mark as reviewed. It will now be considered, let's go back here, as a reviewed question which is approved. Okay? Now let's just say that one of these you you saw it as something that it it could be an issue so I wanna flag it. You can select flag as finding, and you can then elaborate on what this finding is. And from that point, what you can do is you can either accept it, which means you're gonna decide to live with the risk but take no further action. You can mitigate it, which means you're gonna identify a resolution or plan to mitigate the finding, or you can save this as a notable finding but not do anything. Okay? So remember when I told you about if you have a procurement team or anyone that's gonna negotiate price, this is a good way to kinda notate stuff. And let's just say you notate things that aren't a big issue, but you wanna still address it. You can mark it as not applicable and then select add finding. And we're gonna go back here. And if we were to select the findings tab, we're gonna find that item there. Let me there we go. Hold on. There we go. You're gonna find that item there. Okay? Now remember, these findings are good negotiation points, or they're good reasons for you to tell your organization why we're not gonna move forward with this tool. Okay? Now since everything has loaded up correctly from vanta.ai, Vanta AI gave us a summary. So we have some strengths here that it found, and we also have some weaknesses. Now as we can see, there's a lot of, you know, lot more weaknesses than there is strengths. So if you were to see this type of info, you're able to click in, see what the, you know, specific things were found, and then from that point, you're able to decide on whether you want to move forward. Okay? So if you select this make recommendation, you're able to either approve it, conditionally approve it, which means you're gonna provide specific conditions that have to be completed before you actually move forward, or you're gonna say it's not approved. Okay? You'll leave a select residual risk score. Remember, this is the risk that is left after you put mitigation plans in place or certain actions. And then you can choose to add in a, you know, another security review date or leave it as the system will update as well based off of the the inherent risk score. Now the summary, this is generated by Vance AI. This is extremely helpful because it just placed the strength and weaknesses there so you can have it as a summary. Now I'm a go back here because I wanna show you one more thing. You have this activity tab, and the beautiful thing about this activity tab is that it shows you everything that took place in this specific review. So if multiple hands touch this, you're able to at least trace what has been done, what has been completed, what actions were selected, and you're able to, you know, have enough info to move forward and, you know, confirm anything if an error was to occur. The other component is that you can ask Vanta AI specific questions about this vendor if need be. So if you had a key you know, you you're curious about certain things, you're looking for a specific, you know, documentation or something like that, Vanta AI can actually go in and give you info about the specific vendor. Okay? So for example, just gonna ask a simple question because we have, you know, short time here. We just type what is this vendor. Okay? Just so I can show you how it works. And it's taking a look at this specific vendor. It gave us the vendor name. It gave us the risk level, the category. It was a summary of this vendor, and then it gave us some, you know, those weaknesses that was mentioned. And then from that point, it's letting us know, hey. Do you want us to give you more? Okay? So you do have that option as well. And one thing I wanna mention is that we're gonna be releasing a Vanta dot ai live training. The what is it? Matter of fact, yeah, next week, midweek, you'll see a email that's sent out to you where you can sign up, And we actually go through how to use vanta.ai to really audit your entire program and to help you build out everything that you're gonna do when it comes to your actions within Vanta. We even show you how to use vanta.ai to write your policies and to have your vanta.ai to help you map your controls to policies. You can literally upload a policy to Vanta, and then you can go to the Vanta agent and have it review it to see which, controls need to be mapped. There's so many great things that Vanta AI, aka the Vanta agent can do that we're gonna show you how it is done in that Vanta AI training. So look out for that pretty soon. Alright, team. So that concludes this training session. Now let me check these questions here. I think we have some more that are Jay here, does the foundation model for Vanta AI uh-oh. It moved here. Let's see. Does the foundation model for Vanta AI train on our prompts and customer data? Great question. Great question. So the way it works is this. It is using everything in your program to be your main almost like your in house GRC, your in house auditor. It is a master of your program. Now, again, it is gated, so you don't have to worry about it being, you know, exposed to, you know, you know, bad actors or being shared within the the AI model to the world, like some models do. It is heavily gated, heavily protected, and also, again, it only focus on your program. You can literally ask it about every single thing you've added into your, Vanta instance, and it's gonna provide you with details, links to access it, and etcetera. So, for example, as I mentioned, you have the ability to help it, you know, build your, I mean, not build, but, help write out your policies, which that is a big ask. Right? That's something that a lot of people ask about. The other component is that you can also, again, get those mapping things in place. It'll help you with your risk reviews. In this case right here, it'll help you to understand this vendor more to figure out, okay, should I move you can even ask me. Should I move forward with this vendor based off the information that has been found, you know, based off of how, you know, our policies stand? It'll literally go that in-depth. Okay? So the more you actually interact with it, the more information you add to it, the smarter it becomes about your program. To the point, like, seriously, you have your own in house GRC agent, your own in house auditor, or at least someone not someone, but a system that can fully prep your data for audit. And I'm talking about putting you in a very powerful place, very powerful place. And you have a second question. Vanta.ai and Vanta agent are available on essentials or plus plans. That is a great question. It should is it all plan let me not give y'all just some random if it was my world, it should be all plans. Oh, I think it is. Yeah. It is. It's available on all plans, but different aspects of it. So for example, if you're on the essentials plan, you'd only get up to evidence collection. It doesn't it doesn't do your SLA tracking and remediation, policy import, control mapping to policies, policy change, summaries, and issue management. And if you're on the plus plan, the only thing it doesn't do is issue management. Okay? But if you're on the I say plus professional enterprise, you're good to go. You have access to everything. Because issue management and you know, that's usually depending on your program, if you really need it, definitely upgrade that professional. But, yeah, that is gonna be extremely helpful. I think the policy generation piece is the biggest component. And then that control mapping, I I really think those two are gonna be the heavily used components within that specific feature. That's a great question, though. Alright, team. If there isn't any additional questions, thank you so much for attending this session. We look forward to seeing you in our future Vanta trainings. And, of course, look out for the Vanta AI training email that will be sent out, I believe, sometime next week. Even though we have CKO, I'm gonna try to get it out. I'm gonna I'm gonna try to get the marketing team to push it out during that time period. But other than that oh, let me share something with y'all before you go. Do me a favor, please. I forgot about this. I don't know why. But feel free. Share your feedback in that feedback form. Love to hear about how well I did, but more importantly, what do you wanna see in terms of programs that we don't currently offer. Your feedback helps us build out our entire live training catalog here. Okay? And no problem at all, Jay. No problem at all. Great questions. Great questions. Alright, team. Enjoy your almost hit Friday. Enjoy your Wednesday, and I will see you next time.