Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Prevalent Delivers Next-Generation Enhancements to its Leading Third-Party Risk Management Platform

Version 3.16 includes enhancements to assessment scheduling; integration with ServiceNow; workflow and automation improvements; new risk insights from Vendor Threat Monitor; and new licensing options.
Alastair Parr
Senior Vice President, Global Products & Services
February 18, 2020
Blog release v3 16 feb 2020

Following a busy start to the year, I'm excited to announce version 3.16 of our Third-Party Risk Management Platform. In this post, I'll introduce significant v3.16 updates to workflow and automation, as well as new integration with ServiceNow and other solutions. I'll also cover new features in v3.15 (which was available in January), including new assessment types and an enhanced API. Finally, I'll review new risk insights added to our cyber and business monitoring solution, Vendor Threat Monitor (VTM), and introduce new licensing options to help you scale your program more efficiently. Keep reading to learn more!

Task Templates Advance Workflow for Vendor Lifecycle Management Automation

Managing the vendor lifecycle can involve many complex steps – from creating entities and changing statuses, to alerting relevant parties about certain actions – making it difficult to scale your third-party risk management program. Prevalent addresses this challenge by introducing task templates in v3.16. Task templates leverage triggers (e.g., entity creation or assessment completion) to generate new workflow tasks. You can use task triggers for workflow actions such as:

  • Notifying the entity owner to review a newly created entity
  • Automatically changing the entity status upon task completion
  • Alerting survey reviewers upon assessment completion

By automating workflow actions, you eliminate manual steps, reduce errors, and are able to focus on priority issues that require your direct intervention. For a representation of a task template, please see the screenshot below.

Task Template

Task templates generate trigger-based workflow tasks.

ServiceNow Connector Enables Central Management of Third-Party, IT Service, and Risk Data

Organizations standardized on ServiceNow for IT service management (ITSM) often seek integration with other enterprise solutions to optimize workflows and productivity. It’s no different with risk management. Building on API enhancements announced in version 3.14 and 3.15 (see below), v3.16 introduces a connector that enables ServiceNow to consume and manage Prevalent platform data, enabling you to:

  • Centrally manage third-party risk management, IT service management, and other enterprise risk management activities
  • Analyze third-party risk data with other risk data
  • Reduce the number of credentials and platforms you need to manage

This integration is essential for organizations that run their businesses on ServiceNow.

Scheduling Enhancements Add Flexibility to Assessments

Assessment scheduling often brings different workflow requirements, depending on whether you're assessing a new vendor for the first time or are introducing a new assessment to an existing third party. When multiple assessment types are needed, you must have the flexibility in scheduling assessments to fit your specific workflow needs. The Prevalent Platform version 3.15 introduced two new schedule types to streamline the process:

  • Proactive assessment scheduling where the vendor can complete an assessment when they choose, with no specific deadline or timeframe.
  • Flexible assessment scheduling where an entity must fill out the assessment within a designated time frame at the time the entity is added to a schedule.

For a representation of the new schedules, please see the screenshot below.

New Schedules

New schedule types add flexibility to assessments.

API Enhancements Centralize Risk Management Information

Sound, risk-based decision making usually requires you to analyze data from multiple sources across the organization. Unfortunately, it's common for organizations to fall into a siloed approach to enterprise risk management, with collections of disparate tools making it difficult to reveal, interpret and act on risk.

API enhancements added in version 3.15 make it easier to collect and interpret data from multiple risk vectors. With the API's new read/write capability, you can now centrally manage and analyze Prevalent third-party risk data in concert with information from your IT service management and enterprise risk management solutions.

Enhanced Monitoring in Vendor Threat Monitor 2.0 Exposes More Cyber and Business Risks

A complete third-party risk management program requires a combination of inside-out, internal controls assessments and outside-in, monitoring for cyber and business risks. However, without the proper level of integration with their assessment solutions scoring tools provide little visibility into whether a vendor’s activities could be a risk before, after, or between assessments. Organizations must be able to leverage continuous monitoring that provides visibility in the business activities and cybersecurity landscape of their vendors to better inform ongoing assessments.

Building on its first-to-market native integration between assessments and monitoring originally announced in version 3.14, Prevalent platform version 3.16 extends coverage to now include the dark web monitoring, as well as additional IP threat intelligence. New threat indicators include:

  • Deep/dark leaked credential scanning and alerting
  • Asset activity (e.g., hosting a TOR network; asset hosting command and control; communicating with a command and control server; IP detected in malware sample analysis; etc.)
  • Dark Web activity (e.g., criminal chatter forums; criminal attention on Dark Web markets, etc.)
  • DNS Typosquat notifications and DNS suspect activity events
  • Infections recently reported (e.g., external threat lists, external honeypots, etc.)
  • Data breach disclosures
  • Cyber-attacks recently validated by our global threat research team

Available via a straightforward upgrade path for existing VTM customers, this solution delivers deeper insights into potential third-party risks, enabling your security and risk management teams to be more proactive. For a representation of how these new risk types and incidents influence risk scoring, please see the screenshot below.

Monitoring Report

New indicators provide additional context into risks.

New Licensing Options – From a Starter Kit to Enterprise TPRM

Overtaxed vendor management teams struggle every day with everything from defining who their vendors are to understanding how much risk they present to the business. Building on our expertise in helping organizations establish and grow their third-party risk management programs, Prevalent now offers new options for vendor teams to manage, assess and monitor their third-parties wherever they are in their program maturity.

  • Prevalent Platform Essentials. Ditch the spreadsheets and manage your global vendor population with the Prevalent Platform. Think of Platform Essentials as your “starter kit” to centralize entity management, and perform profiling, tiering and inherent risk assessments.
  • Prevalent Assessment Standard – PCF Option. Address the requirements of multiple regulatory mandates and security frameworks by performing assessments using the standard Prevalent Compliance Framework (PCF) content. The PCF is a comprehensive assessment containing 175+ questions mapped to common frameworks and regulations such as GDPR, CCPA, NYDFS, NYMITY, SOX, HIPAA, ISO27001, NIST and SSAE18 (SOC and SOC II). Completing a PCF assessment enables an organization to review, report and remediate across multiple regulations greatly streamlining the compliance process.
  • Prevalent Assessment Standard – Custom Option. Ideal for customers that want to use their own questionnaire and import it into the Platform, have specific custom questionnaire requirements, or need help building a customized questionnaire.
  • Prevalent Assessment Professional. Leverage all assessment capabilities in the Prevalent platform, including complete access to standard library content and the ability to create custom content. Ideal for customers that support a mature enterprise-wide risk management program and require flexibility in using both standard and custom content.

With these new options, risk management teams can mature and scale their TPRM programs with automation and greater visibility.

I hope you're as excited as I am about these enhancements! For more information on this release, please see the What’s New document or read the Release Notes on the Prevalent Customer Portal.

Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Services

Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 15 years’ experience in product management, consultancy and operations deliverables.

Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo