Once your vendor has provided their answers and submitted the Security Review, you'll be able to review their responses, add feedback for the vendor, and flag responses as a potential risk for your internal team to review.
To start the review process, select a Security Review from the Due Diligence homepage or from the vendor's individual page.
1. Once in the Security Review you can use the filter on the top to narrow down responses by Status, Comments, Assignees, or Sections.
2. Review the vendor's submission on individual questions. You'll have the following options for each question:
- Approve - this means you/your team approve of the response and no further action/attention is needed. This will not be shared with the vendor.
- Submit feedback - this is feedback for your vendor and could include a request for further detail or other feedback information for them. This will be shared with the vendor.
- Flag - this will flag the answer internally for your team as a response that should be further reviewed or noted as potential risk. This will not be shared with the vendor.
- Note: by clicking the three dots, you will have the options of
- Assign - assign this specific question to a team member you want to collaborate with
- Copy Link - this link will take the recipient to this specific question
- View question activity - this will show you a log of all actions that have been taken with this question
- Note: by clicking the three dots, you will have the options of
3. Once you have finished reviewing all of the questions, select the "Submit feedback" button on the top to send your saved feedback to the vendor.
- This will only share responses where you added feedback and will not share approved or flagged responses. This will also update the status of the Security Review to "In Remediation."
4. After the vendor responds to your feedback the Security Review will be ready for your final review. Complete a review of their responses and the select the "Complete security review" button on the top.
- This will prompt you to log a Decision, Residual Risk Rating (optional), and Reason for Decision (optional). This information is for internal purposes only and will be saved to the vendor's individual page. The vendor will only be informed that the review is complete. It is up to you or your team to inform them of your decision.