Table of Contents
Tools Available to Help Review a Vendor Summary
Finalizing Your Review of A Vendor Summary
Do you have endless security policy documents to review? Whistic has got you covered with the next step in Automated Assessments!
Vendor Summary is a new AI-powered feature that will quickly identify and review a vendor’s compliance or non-compliance with various security controls, using all available sources of evidence provided by the vendor.
*If you want access to a feature not currently enabled or would like to increase your allotment, please contact your Whistic Customer Success Manager or reach out to cs@whistic.com
Overview
- See the overall state of the vendor’s security posture ‘at a glance’.
- Drill in to find details related to the most common security risks without manually searching through hundreds of pages of security policy documentation.
- Use the questionnaire that works best for your organization, or leverage our recommended control framework.
- Use your own custom questionnaire to generate a summary.
- Instead of waiting for a vendor to answer your questionnaire, find answers using the vendor’s existing documentation or other sources of information they have provided.
- Generate a final report with findings based on the Vendor Summary and other Assessment activities that can be shared internally or with the Vendor.
Prerequisites
- Open a Vendor.
- Ensure that Smart Search is Enabled.
Tip: Click Check Processing Status next to the Vendor Smart Search bar to see whether all the available documents and questionnaires are ready to be searched by Whistic AI.
(This process can take a few minutes if there are a lot of sources available.)
- If you don't see a Vendor Search bar, the Vendor has not been enabled for AI yet.
- Click the Enable Smart Search button near the upper right-hand corner of the Vendor Details page, or enable multiple Vendors at once from the Vendor Catalog page.
On the Vendor Details page: (below the vendor information header)
On the Vendor Catalog:
(You need to select one or more vendors for this option to be enabled.)
Generating a Vendor Summary
1. Click the Create Summary button in the Overview/Assessment Activity area to get started
OR you can open the Vendor Summary section on the left to Generate AI Summary
2. A pop-up will appear asking you to choose from a list of frameworks (CAIQ, CIS-IG 2, HECVAT, BCBS Full, NIST CSF, and SIG Lite) or to create a new custom questionnaire.
*If you don't see either SIG Lite or BCBS Full in this list, ask one of our team members to help enable it for your company or reach out to cs@whistic.com.
Pro Tip: The questions on the Whistic Vendor Summary framework were written so AI can return Yes / No answers, making it easier to determine vendor compliance. Using this framework may require less manual review by you after the answers are returned.
3. Once you have selected your preferred framework, hit Done, then Create Now.
Whistic will process the request. Watch as each control is measured against available sources in real-time to determine compliance. When the Vendor Summary is complete you will receive a bell notification alert.
Things to know:
- Vendor Summary returns answers to a set of questions about the vendor’s security controls all at once.
- It provides answers to Yes/No questions, single or multi-select multiple-choice questions, and open-ended questions, and will show relevant documents if requested in the questionnaire(eg. SOC 2 reports).
- The security controls are based on industry standards.
- Whistic AI bases its answers on all available Sources that the Vendor has shared with you, which might include previous questionnaire responses, documents, Profile content, etc.
Important Notes:
AI will set the compliance for the following question types:
-
- Yes/No
- Multiple Choice
- Multiple Answer
So we suggest manually setting compliance for:
- Open-Ended/Text Answers
- File Upload
They will be labeled "Needs Review" so you can easily spot them.
To eliminate any manual steps, we suggest using our Recommended Whistic Vendor Summary OR choosing a questionnaire with mainly Yes/No, Multiple Choice, Multiple Answer.
Tip: If your vendor provided a previous questionnaire response in spreadsheet format, we recommend uploading it to the Vendor Document Repository. This ensures that when you run the Vendor Summary report, those results will be used to populate the report.
Tools Available to Help Review a Vendor Summary
The following tools are available to help with the review process:
- Header
- Filters and Edit Control Details
Header:
-
Compliance: This is an indicator of overall compliance based on the number of answers that came back compliant in the report. The pill color reflects the compliance level according to the legend on the right and the ranges below:
- less than 50% - red pill
- 50-80% - yellow pill
- above 80% - green pill
Note that the compliance percentage will adjust as the analyst reviews questions and can be used to assess the overall risk a vendor might represent at that moment.
- Unknown: This is the number of questions AI could not answer. This tells you the number of questions that are likely to go back to the vendor.
- Status: At the top right-hand side of the header, there's a status pill that will remain In Review until the analyst has manually updated the assessment status.
Filters and Edit Control Details:
- Filters (located above the Vendor Summary) - Filter by Compliance, Flagged vs Not Flagged, Vendor Answered vs Uknowned, Reviewed, etc.
-
Edit Control Details - Click on each control area to see the questions and review answers, and click on any question to display the Edit Control Details. Here you can:
-
Override the Answer or the Compliance - If the AI answer doesn't seem correct, manually override the answer based on information in the sources
- Note that if you change the question answer or add a comment, the person who made the change and the date it happened is added to the question history (small subtitle below the boxes)
- Review Status - Mark the question as Flagged for follow-up or Reviewed
- Create Issue - If you need to follow up with the vendor on that question or simply want to monitor something over time, you can create an issue. It will go to the Issues to be tracked.
- Comment - Leave a comment regarding your review
- Sources - View the Sources AI used to answer the question. Whistic will automatically provide an Answer Explanation to give you additional details to back up the answer.
-
Override the Answer or the Compliance - If the AI answer doesn't seem correct, manually override the answer based on information in the sources
-
Send Questions to Vendor (located under the 3 dot action menu) - send follow-up questions to the vendor to get answers for the “Unknowns” or other details Whistic AI couldn't answer based on the available sources.
You will receive a bell notification alert when new responses from vendors arrive. -
Retry Errors & Unknows (located under the 3 dot action menu) - If you have added a document or have more information for AI to use, running this will attempt to find answers for questions that previously generated an error (very uncommon) or returned an Unknown answer. Using this button will not use up an additional Vendor Summary license.
Finalizing Your Review of A Vendor Summary
At the top of the Vendor Summary table, click Finish Review to finish an assessment based on the Vendor Summary.
- This allows you to add an overall comment for the summary and to change the status of the review (Approved, Denied, Approved with Conditions, etc.).
- A copy of the Vendor Summary is added in the Assessment area of the page.
- You can Generate New AI Vendor Summary (located under the 3 dot action menu) while keeping a record of older reviews.
- If you want to refresh the Summary (without saving previous results), click Generate New AI Summary. (If you want to save previous results, click Review Vendor Summary first.)
- You can view or export a Vendor Summary Report after you change the status of the assessment and provide a comment. This option also allows you to add the summary directly to the vendor's list of documents.
Reporting
Go to "Reporting" > Show "Vendor Summaries" >
You can create Vendor Summary reports based on:
- Created date
- Questionnaire name
- Questionnaire version
- Vendor Summary status
- Vendor domain
- Vendor name
Additional Resources
Smart Search for Vendor Details
Enable Smart Search for Vendors