HOPEX Aquila EN

GRC - Governance, Risk & Compliance > HOPEX Cyber Resilience > Building Cyber Resilience > ICT Vendors

ICT Vendors

Listing ICT Vendors

Creating an ICT Vendor

Specifying Vendor Contracts

Listing contracts

Creating a contract

Viewing the contract status

Specifying the contract characteristics

Attachments

Assessing ICT Vendors

Assessing an ICT Vendor

Assessing multiple ICT vendors

Assessing ICT vendors via campaigns

An ICT vendor is a company which provides ICT services (Information and Communication Technologies).

In HOPEX a vendor is an external org-unit of Vendor type.

When en entity is an external org-unit of Vendor type, you can:

• perform due diligence on the vendor

• specify the contracts with this vendor

Listing ICT Vendors

To list ICT vendors:

In the navigation bar, select Environment > Organization > Vendors.

The hierarchy of vendors is also available from Processes > By entity > Vendors.

The “Vendors” folder is available if there is at least one vendor in the repository.

Creating an ICT Vendor

To create an ICT vendor:

1. See Listing ICT Vendors.

2. Click New.

The vendor is automatically created.

You may notice from the vendor properties that it is an org-unit of Vendor type.

Specifying Vendor Contracts

Listing contracts

To list contracts:

In the navigation bar, select Environment > Organization > Vendors and Contracts.

You may, through specific lists, list:

• all Contracts

• Contracts by Vendor

To list the contracts of an ICT vendor:

1. In the navigation bar, select Environment > Organization > Vendors and ContractsContracts by vendor.

2. In a vendor properties, select the Contracts page.

Creating a contract

To create a contract:

1. In the navigation bar, select Environment > Organization > Vendors and Contracts> Contracts.

2. Click New.

3. (Optional) Enter:

• the Begin Date

• the End date

• the Code

• Contract type

• a Vendor

4. Click OK.

Viewing the contract status

Once the contract has been created, the Status is automatically assigned:

• Signed

The contract is considered “signed” when today's date is less than the contract begin date.

• Live

The contract is considered “ongoing” if today's date is within the date range between the contract begin date and end date.

• Expired

The contract is considered “Expired” when today's date is greater than the contract end date.

• Unknown

The status is unknown when dates are not specified.

Specifying the contract characteristics

In the properties of a contract you may specify the following:

• Contract Type

• Vendor concerned by the contract

• Signatory entity

• Contract Elements

You may connect the objects which are part of the contract:

• Application

An application is a set of software tools coherent from a software development viewpoint.

• Software technology

A software technology is a basic component necessary for operation of business applications.

• Processes

A process describes how to implement all or part of the process required to make a product or handle a flow.

• Operation

An operation is an elementary step in a process. It corresponds to the intervention of an entity withing the organization.

• Server

A (deployed) server is a computer on which applications are run.

• Site

A site is a geographical location of an enterprise. Examples: Boston subsidiary, Seattle plant, and more generally the headquarters, subsidiaries, plants, warehouses, etc.

• Data center

A data center is a physical site that groups together IT facilities responsible for storing and distributing data through an internal network or via Internet access.

• Installation

A facility is a model of site of interest for the enterprise (for example: factory, outlet).

Attachments

In the Attachments section you can attach the actual contract.

For more information on business documents see Using Business Documents.

Assessing ICT Vendors

Assessing an ICT Vendor

To assess an ICT vendor:

1. In the properties of a vendor, select the Due Diligence page.

2. Click New Assessment.

3. (Optional) Edit the Date.

4. Specify whether the vendor is:

• Compliant

A vendor who is considered “Compliant” is compliant with the cybersecurity requirements. He can be considered as reliable and secure and may be a preferred partner for collaboration.

• Potential

A vendor who is considered “Potential” has passed the cyber due diligence but may require improvements or additional monitoring to fully meet the cybersecurity requirements. He may be seen as a promising partner but might need further effort to enhance cybersecurity.

• Critical

A vendor who is considered “Critical” has significant cybersecurity risks or vulnerabilities. He can be acceptable for certain types of services or collaborations with appropriate mitigation measures. However, he requires special monitoring and attention due to the associated risks.

• Non-Compliant

A vendor who is considered “Non-compliant” fails to meet the minimal cybersecurity requirements and pose high risks to data and operations security. It may be necessary to avoid or terminate collaboration with him due to a high risk of non-compliance and potential compromise to the overall security of the organization.

5. Click OK.

The vendor rating appears. All the assessments appear in the form of a list.

The last Vendor cyber rating is displayed at the top of the page.

Assessing multiple ICT vendors

To assess simultaneously several ICT vendors:

1. In the navigation bar, click Assessment > Direct Assessment > Multiple Due Diligence.

2. Click New Assessment.

3. Select a vendor in the tree that appears and click OK.

4. Click each vendor (context) ans assess the Vendor Cyber Rating.

5. Click Submit.

Assessing ICT vendors via campaigns

You may assess ICT vendors via campaigns.

A "Due Diligence" assessment template is available.

To launch an assessment campaign, see Starting an Assessment Campaign.