Skip to main content

Get Started with AI Vendor Risk Management for Jira

Updated over 2 weeks ago

This article will help you understand how to use AI Vendor Risk Management for Jira to streamline your vendor security assessment process. You'll learn how to set up the app, process vendor questionnaires, and manage your security reviews efficiently.

What Is AI Vendor Risk Management?

AI Vendor Risk Management for Jira is designed to automate the tedious process of vendor security assessments. If your current process involves manually sending questionnaires, reviewing lengthy documentation, and spending hours validating responses, this app will significantly reduce your workload.

The app uses AI to analyze vendor documentation (like SOC 2 reports) and automatically answer security questions based on the information provided. This can turn a process that typically takes 10+ hours into something much more manageable.

Setting Up Your First Assessment

Getting started with AI Vendor Risk Management is straightforward. The app integrates directly with your existing Jira workflow:

  1. Create a Jira ticket for your vendor security review. This can be a JSM project that's set up to intake Vendor onboarding requests.

  2. Add the label "securityreview" to the ticket. This label is currently hardcoded in the system and is required for the app to recognize your ticket. You can use Automation to automatically apply this tag.

  3. The app will automatically pull in the vendor. If it doesn't appear immediately, click the sync button at the top of the dashboard to refresh the list.

  4. Once imported, the app provides an initial risk assessment based on the vendor information available.

The initial risk assessment categorizes vendors based on their potential security impact. For example, vendors with access to internal systems might be flagged as "High" risk. You can adjust these risk levels as needed based on your organization's requirements.

Creating Security Questionnaires

  1. Navigate to the questionnaire section by clicking on Questionnaires on the left menu.

  2. You can either create a questionnaire from scratch or customize our template.

  3. Add your specific security questions based on your compliance requirements.

Conducting a Security Assessment

AI Vendor Risk Management offers multiple ways to gather information from your vendors:

Using AI to Extract Information from Documents

If your vendor has provided documentation such as SOC 2 reports, policies, or completed questionnaires:

  1. Navigate to the assessment and click "Generate Answers."

  2. The AI will analyze the attached documents and attempt to answer your security questions automatically.

  3. Each answer includes a confidence score to help you determine its reliability.

Sending Questionnaires to Vendors

When you need additional information from vendors:

  1. Review the AI-generated answers and identify questions that need vendor input.

  2. Mark these questions by selecting "Request Vendor Input."

  3. Click "Send to Vendor" and enter the vendor's email address.

  4. The vendor will receive an email with a link to a form where they can provide their answers and potentially attach supporting documentation.

  5. Once submitted, their responses will automatically appear in your assessment with an "Answered by Vendor" flag.

Reviewing Vendor Responses

After receiving information (either through AI extraction or vendor responses), you'll need to review and validate the answers:

  1. For each question, you have three options:

    • Accept the answer if it meets your requirements

    • Flag for review if you need to investigate further

    • Request vendor input if you need clarification

  2. As you accept answers, the progress indicator will update to show how many questions have been completed.

  3. Once all questions are accepted, the assessment status will automatically change to "Completed."

  4. You can then mark the vendor as "Approved" based on your evaluation.

All documentation and responses are stored in one centralized location, making it easy to reference during future reviews or audits.

Did this answer your question?