What is our primary use case?
I use the solution when internal customers want to engage with a third party through some type of cloud-based system. Right away I start reviewing from that perspective and I get the vendor's information that they are looking to engage with, I input the information into this solution. This solution has a process where I can send questionnaires out to the new prospective vendor. That prospective vendor will provision themselves into the solution by inputting all their information. This prevents me from inputting any information incorrectly.
At this stage, I review all the information. The vendor will also upload all of their security documentation. This includes anything they can show that they are performing security best practices on behalf of their customers like us. This solution gives me the ability to double-check that information. I can do a risk review and risk rate it. There is a backend that will do a crowdsourcing type feature. For example, if there are other customers that have reviewed this particular vendor before, I can actually piggyback on that collected information and make my own judgment on whether or not it is a good fit for our environment.
How has it helped my organization?
By using this solution it has allowed me to free up some of my time and use my resources in other areas. Prior to using this solution, everything was done through a spreadsheet. Now with this solution, a lot of it is relational databases rather than a spreadsheet flat table. This solution also allows automation. You can start automating a lot of your processes as opposed to the manual process of using spreadsheets.
What is most valuable?
One of the valuable features of this solution is it has the ability to review fourth and fifth parties to the nth degree.
What this means is, a vendor that is going to engage with us is called a third party. However, sometimes these vendors have their own vendors. The first example, this solution is a third party to us, but this solution uses Azure as their backend database, this is the fourth party to us. I am fine with this because I know Azure is doing its best due diligence with security best practices.
The comparative example, this solution wanted to start using an unknown company, such as Mike and Bob's server farm in Bob's garage as a vendor. I do not know who Mike and Bob are, if they had followed security best practices, do they close that garage door at the end of the night, or do they leave it wide open. All of our data could be sitting on those servers in that garage exposed. I would want to review that fourth party.
As vendors, as our internal customers are bringing these vendors on board with us, they go through this committee. I look at the third party level and question if they have any significant fourth parties. I do not really care about all the small little vendors, such as the person that mows their lawn outside of their office building. However, I do care about a significant fourth party, for example, someone that may be hosting our data on behalf of this third party. This solution allows me to go deep into that information, where other third party risk management platforms that we have reviewed are not able to do. They typically only do the third party level and not the fourth.
What needs improvement?
They could improve by offering free help. A solution, a lot of times, is not just the use of the solution. For example, it is the overall engagement, how well do they support the system, what is their SLA, and how long their response time is to an issue. It would be beneficial if they had some type of professional services where they offer the first five hours of professional services a year for free. That would be a substantial benefit rather than having to buy professional services or professional services packages.
For how long have I used the solution?
I have been using the solution for two months.
What do I think about the stability of the solution?
I have not had any issue with the stability of the solution.
What do I think about the scalability of the solution?
The solution is in the cloud which allows it to scale very well.
How was the initial setup?
The initial installation is straightforward. However, it can be as complex as you want to make it depending on how many internal systems you want to add. The time for installation typically takes three weeks.
Which other solutions did I evaluate?
We have evaluated other similar solutions and we choose this solution because it allows reviews of more than just the third party vendors.
What other advice do I have?
I rate OneTrust GRC a ten out of ten.
Which deployment model are you using for this solution?
Which version of this solution are you currently using?