The Vendor Risk Management application on ServiceNow is great, offering the capability of automating the process of retrieving third party vendor information and documents in order to help risk analysts determine the risk probability, threat, and overall security posture of the vendor before forming or continuing a business relationship with said vendor.
However, if your company is using a SN release of London or earlier, there are several issues with the OOB functionality that can create audit issues and the brings up ethical dilemmas of skewing/altering vendor responses and information by your vendor risk manager or assessor. The inherent risk arises with the potential of an internal employee changing vendor responses to a document request OR questionnaire without the vendors knowledge or approval.
Risk ratings and vendor responses can therefore be altered, and a contract with a high risk or unsafe vendor can cause drastic security issues or results for your organization if approved with biased results.
Best Practices and steps will be described below.
Vendor Assessment Record
Once the vendor submits all applicable assessments, the vendor manager/assessor can view responses by a link such as below:
For audit purposes, the OOB ACL functionality of allowing WRITE (changing vendor responses) for individuals with the vendor assessor role should be INACTIVE. Configuring this OOB ACL to Inactive will disable any interference in the vendor's response and create a stable process that is paramount to the security of your organization and protect the integrity of the vendor information.
As a developer or admin, navigate to the ACL table and select this ACL below to make WRITE access inactive.
Make this ACL inactive and your vendor manager/assessor will NOT be able to change vendor responses to submitted assessments, questionnaires, or document requests.
The vendor responses will now be READ ONLY and internal comments will remain the same. This protects vendor responses without employee interference.
The Madrid release has configured the functionality to "resend" questionnaires back to the vendors for more information or change certain questions notifying the vendor however, if your organization is on the London or previous releases, unfortunately, this functionality does not exist.
Rather than put your organization at a higher risk, inactivating this ACL will strengthen the integrity of your vendor risk assessment responses and overall process without an internal actor modifying the third party's responses.
