Center for Internet Security (CIS) Critical Security Controls Compliance

Prevalent enables organizations to build a centralized service provider inventory by importing vendors via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise can populate key supplier details with a centralized and customizable intake form and associated workflow. This is available to everyone via email invitation, without requiring any training or solution expertise.

As all service providers are being centralized, teams can create comprehensive vendor profiles that contain insight into a vendor’s demographic information, 4th-party technologies, ESG scores, recent business and reputational insights, data breach history, and recent financial performance.

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.

As part of this process, Prevalent can help you define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Vendor classification and categorization
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Fourth-party mapping
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect data
• Compliance and contractual reporting requirements against service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties. Criteria includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically classify and tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

Prevalent centralizes the distribution, discussion, retention and review of vendor contracts and offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. This ensures that key security requirements are built into the vendor contract, agreed upon, and enforced throughout the relationship with key performance indicators (KPIs).

Key capabilities include:

• Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

Prevalent automates risk assessments to extend the visibility, efficiency and scale of your third-party risk management program across every stage of the third-party lifecycle.

With a library of 750+ standardized assessments – including for PCI – customization capabilities, and built-in workflow and remediation, the solution automates everything from survey collection and analysis to risk rating and reporting.

With Prevalent, you can easily gather and correlate intelligence on a wide range of vendor controls to determine threats to information management, based on the criticality of the third party as determined by the inherent risk assessment.

Results of assessments and continuous monitoring are collated in a single risk register with heat map reporting that measures and categorizes risks based on likelihood and impact. With this insight, teams can easily see the consequences of a risk and have ready-made remediation recommendations for third parties to mitigate the risks.

For third parties that submit a SOC 2 report instead of a completed vendor risk assessment, Prevalent reviews the list of control gaps identified within the SOC 2 report, creates risk items against the third party within the Platform, and tracks and reports against deficiencies.

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources include:

• 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
• A database containing 10+ years of data breach history for thousands of companies around the world

Because not all threats are direct cyberattacks, Prevalent also incorporates data from the following sources to add context into cyber findings:

• 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• A global network of 2 million businesses with 5 years of organizational changes and financial performance, including turnover, profit and loss, shareholder funds, etc.
• 30,000 global news sources
• A database containing over 1.8 million politically exposed person profiles
• Global sanctions lists and over 1,000 global enforcement lists and court filings

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

The Prevalent Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

• Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
• Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
• Take actionable steps to reduce vendor risk with built-in remediation recommendations and guidance.
• Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor incidents by centrally managing vendors, conducting event assessments, scoring identified risks, correlating against continuous cyber monitoring, and accessing remediation guidance. Key capabilities include:

• Continuously updated and customizable event and incident management questionnaires
• Real-time questionnaire completion progress tracking
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactively vendor reporting
• Consolidated views of risk ratings, counts, scores, and flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to reduce risk
• Built-in report templates
• Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

By centralizing third-party incident response in a single system guided by a single enterprise incident management process, IT, security, legal, privacy, and compliance teams can work in unison to mitigate risks.