Inventorization of vendors
Activating discovered vendors
When you have run some discovery integrations, Kertos will already have identified lots of vendors for you. Now you need to activate those and provide their missing information.
1. Go to "Vendors" under "Inventory".
2. Select the "Discovered" tab.
3. Select the vendors that you actually use within your organization and click "set to active". Then select the vendors that are not relevant to you and click "archive". This means that they will not be re-discovered when you run discovery integrations on a regular basis (which you should).
4. The vendors that you have activated will now show up in the "Active" tab.
5. Now you can click on the individual vendors and supplement missing information. See the section below for more information.
Adding Vendors manually
If a vendor of yours was not identified in the discovery, you have the option to add it manually. Every manually added vendor will be automatically assigned active status.
1. Click “Add Vendor”.
2. Now you already need to provide the missing information as described below in "Documenting basic information".
3. Click “Save”.
Documenting basic information
Among the basic options for documentation in the detail view, there are:
- Vendor name The legal name of the vendor.
- HQ Location
- Region/ Country Region/ Country of the headquarter.
- Description What the vendor sells.
- Internal Contact Who is responsible for this vendor.
- Responsible Department Department of the responsible person.
- External Contact incl. E-Mail and phone number
- Risk level Risk level based on your personal evaluation.
- Certificates Certificates that you know the vendor possesses.
Adding Vendor Certificates
For some widely-used vendors, Kertos will automatically set their certificates for you. If there none available for pre-setting, you can add certificates manually.
1. Click into the Vendor Certificates bar.
2. Choose the desired certification from the list.
If it does not appear in the list, you can add a custom vendor certificate by entering its name and click “Add vendor certificate”.
If you want to remove a custom certificate, click “edit vendor certificates”. You can remove the certificate by clicking on the red minus that appears.
Assigning Systems
This step is very important as it connects systems to their respective vendors.
1. Scroll down to the section "Which systems are provided by this vendor?".
2. Select the systems that are provided by this vendor.
Alternatively, you can assign systems to a vendor from a system page. See this article for how to do that.
Uploading documents
You can add any document that belongs to a specific vendor on its detail view.
We have added the three most common ones for accessibility:
- Data Processing Agreement
- Privacy Policy
- Link Impact Assessment
At the bottom of the vendor detail view, you can also add additional documents.
FAQs
What do I need to fill in to all the fields for the vendors? Are all fields mandatory?
To able to create a vendor in Kertos, you only need the name of the vendor. From a Compliance standpoint, however, you should add at least the following info:
- HQ Location incl. country
- Description of what the vendor does
- What Data Sources belong to the vendor
- their Terms and conditions via the document upload
- any contracts via the document upload, especially Service-Level-Agreements with cloud providers
When do I know that my vendor management is compliant?
Your Vendor Management is done correctly when all relevant vendors are documented in the way described above.
How do I document my ongoing vendor management?
As soon as you are aware of a new vendor that you are working together with, make sure to add it to your list as described above. To stay on top of Shadow IT and new vendors that come with it, make sure to setup our Discovery Integrations so that you can detect new data sources and vendors.