ServiceNow VRM Course Final Exam 2023 Solved
Correctly
What is VRM (Vendor Risk Management)?
VRM Process of ensuring the use of services and suppliers doesn't create unacceptable
levels of risk or negative impact for the business
How does VRM link to the GRC module?
It is the fourth application in the GRC suite. It can also be used as a standalone
application
What are the 6 capabilities of VRM?
1. Vendor Portfolio
2. Vendor Tiering
3. Assessment Management
4. Vendor Portal
5. Issue + Remediation
6. GRC Integration
What is Vendor Portfolio?
This is a database of vendors which includes vendor info such as vendor contacts. It
uses the existing company table in ServiceNow.
What is Vendor Tiering?
Assessments that are completed internally to classify vendors into categories of
potential risk and ensure organisations are appropriately assessing their vendors by
deciding which assessments are used going forward for that vendor, based on its tier.
What is Assessment Management?
Companies can create Questionnaire and Doc Request templates to build assessment
templates to use to assess Vendors. Or companies can use the built-in SIG
questionnaire.
What is Vendor Portal?
This is where communication between the company and vendors are done. Vendors
can view their assessments, issues and tasks on this portal.
What is Issue + Remediation?
When Vendor Assessments aren't deemed correct, Issues + Tasks can be
automatically/manually raised by the Company to address the problem.
What is GRC Integration?
Questions within a questionnaire template can be associated with Control Objectives.
This in turn will then change control compliance based on vendor responses.
VRM Benefits?
- Efficiency through automation of processes
- Reduce risk exposure
- Ability to respond to higher risk vendors with constant assessment
- Increased communication with Vendors
What are the Tiering levels?
None, Minor, Low, Moderate, High, Critical
Are tiers maintained internally (company) or externally (vendor)?
Internally
, How does Tiering work?
- Create and complete Tiering assessment
- Tier assigned to vendor
- Tier based submission rule decides what assessment to send to vendor based on it's
newly assigned tier
What is a Tiering Assessment made up of?
Tiering questionnaire template
Is a tiering questionnaire template made of metrics categories and metrics OR
other templates (assessment/doc request)
Metrics categories and metrics
What is a Vendor Risk Assessment made up of?
1. Assessment Template
2. Vendor
What is an Assessment Template made up of?
Metric Types:
1. Questionnaire Template
2. Doc Request Template
What is Vendor Security Score used for?
Allows companies to validate that vendors are maintaining their security posture. This
then allows to prioritize vendor relationships and management, including conducting
assessments if scores change (using score based submission rules)
What is Vendor security score made up of?
1. Network security
2. Hacker chatter
3. Patching cadence
What does the Vendor Portal allow?
1. Assessment Management - respond to assessments on the portal
2. Issues + Tasks - Companies can create issues to remediate problems with
assessments
3. Vendor contact Management - vendor can communicate with different functional
groups. Tasks can be assigned across vendors team
Can a Vendor Risk Assessment be submitted to a vendor without a primary
contact?
No. Primary contact is required.
(Checkbox on vendor contact form)
What is the unique identifier for VRM?
sn_vdr_risk_asmt
3 key INTERNAL roles?
1. vendor risk manager - manages questionnaire, doc request and assessment
templates + below
2. vendor risk assessor - manages, vendors, contacts, assessments + below
3. vendor risk reviewer - view and edit vendor reponses
What table are vendors stored?
core_company
What role is required to manually created Vendors?
Correctly
What is VRM (Vendor Risk Management)?
VRM Process of ensuring the use of services and suppliers doesn't create unacceptable
levels of risk or negative impact for the business
How does VRM link to the GRC module?
It is the fourth application in the GRC suite. It can also be used as a standalone
application
What are the 6 capabilities of VRM?
1. Vendor Portfolio
2. Vendor Tiering
3. Assessment Management
4. Vendor Portal
5. Issue + Remediation
6. GRC Integration
What is Vendor Portfolio?
This is a database of vendors which includes vendor info such as vendor contacts. It
uses the existing company table in ServiceNow.
What is Vendor Tiering?
Assessments that are completed internally to classify vendors into categories of
potential risk and ensure organisations are appropriately assessing their vendors by
deciding which assessments are used going forward for that vendor, based on its tier.
What is Assessment Management?
Companies can create Questionnaire and Doc Request templates to build assessment
templates to use to assess Vendors. Or companies can use the built-in SIG
questionnaire.
What is Vendor Portal?
This is where communication between the company and vendors are done. Vendors
can view their assessments, issues and tasks on this portal.
What is Issue + Remediation?
When Vendor Assessments aren't deemed correct, Issues + Tasks can be
automatically/manually raised by the Company to address the problem.
What is GRC Integration?
Questions within a questionnaire template can be associated with Control Objectives.
This in turn will then change control compliance based on vendor responses.
VRM Benefits?
- Efficiency through automation of processes
- Reduce risk exposure
- Ability to respond to higher risk vendors with constant assessment
- Increased communication with Vendors
What are the Tiering levels?
None, Minor, Low, Moderate, High, Critical
Are tiers maintained internally (company) or externally (vendor)?
Internally
, How does Tiering work?
- Create and complete Tiering assessment
- Tier assigned to vendor
- Tier based submission rule decides what assessment to send to vendor based on it's
newly assigned tier
What is a Tiering Assessment made up of?
Tiering questionnaire template
Is a tiering questionnaire template made of metrics categories and metrics OR
other templates (assessment/doc request)
Metrics categories and metrics
What is a Vendor Risk Assessment made up of?
1. Assessment Template
2. Vendor
What is an Assessment Template made up of?
Metric Types:
1. Questionnaire Template
2. Doc Request Template
What is Vendor Security Score used for?
Allows companies to validate that vendors are maintaining their security posture. This
then allows to prioritize vendor relationships and management, including conducting
assessments if scores change (using score based submission rules)
What is Vendor security score made up of?
1. Network security
2. Hacker chatter
3. Patching cadence
What does the Vendor Portal allow?
1. Assessment Management - respond to assessments on the portal
2. Issues + Tasks - Companies can create issues to remediate problems with
assessments
3. Vendor contact Management - vendor can communicate with different functional
groups. Tasks can be assigned across vendors team
Can a Vendor Risk Assessment be submitted to a vendor without a primary
contact?
No. Primary contact is required.
(Checkbox on vendor contact form)
What is the unique identifier for VRM?
sn_vdr_risk_asmt
3 key INTERNAL roles?
1. vendor risk manager - manages questionnaire, doc request and assessment
templates + below
2. vendor risk assessor - manages, vendors, contacts, assessments + below
3. vendor risk reviewer - view and edit vendor reponses
What table are vendors stored?
core_company
What role is required to manually created Vendors?
