Third-party assessments are a kind of workflow that help you understand how the data and security practices of your vendors, contractors, or other external partners might affect your own privacy program. Each assessment contains one or more workflows, either from your org's own library or from Google's open-source library, and can be sent to one or more external recipients using an access-controlled invitation.
Gaining a clear understanding of an external partner's privacy practices often requires you to gather information from more than one person, so TerraTrue's third-party assessments allow you to bundle several workflows into a single invitation that you can send to multiple people. Everyone who receives that invitation will collaborate on the same response, but each person can focus on the workflow that best suits their area of expertise.
You can view and manage your invitations, responses, and comments at Invitation Workflows > Third Party Assessments. To create, edit, or delete the individual workflows that are bundled into third-party assessments, visit Org Settings > Workflows.
Inviting external partners to a third party assessment
Invitations are created and managed at Invitation Workflows > Third Party Assessments. To build a new invitation, click Create.
- Choose or enter a third party
Select which third party will receive your invitation. You can choose from your organization's database of third-party partners, or to enter a new third party. (Entering a new third party will not modify your organization's database.)
- Add workflows to your invitation
Choose one or more workflows from your org's workflow library to include in your assessment. If your workflow library is empty, you'll be asked to select one or more items from Google's open-source Vendor Security Assessment Questionnaires. To create new workflows or modify your library, see Creating and managing third party assessments.
- Enter your recipients
Add the names and email addresses of the people who will receive your invitation.
- Add a message to your recipients
This message will appear in an email to each recipient, and can be a helpful way to provide guidance.
For security reasons, invitations expire after a period time. By default, the access period for invitations is 30 days. Admins can adjust that period to be anywhere between 1 day and 90 days by visiting Org Settings > Customization > Settings.
Creating and managing third party assessments
In Org Settings > Workflows, select Create. Give the assessment a name, select Third party assessment when asked how the workflow will be used, and click Confirm to enter the builder.
Creating a third-party assessment is nearly identical to creating any other workflow. You can create pages and questions, add display conditions for individual questions, and configure risk scoring. You'll also have the ability to preview your work before publishing.
You can create third-party assessments from scratch, or import Google's open-source Vendor Security Assessment Questionnaires by clicking Import Google VSAQ. Doing so will add four new workflows to your library, all of which can be edited in TerraTrue:
- Web Application Security Questionnaire
- Security & Privacy Program Questionnaire
- Infrastructure Security Questionnaire
- Physical & Datacenter Security Questionnaire
Responding to third party assessments
Third-party users will be emailed a link to their assessment. This link is unique for everyone that receives the invitation. If anyone is erroneously included in the invitation, revoking their invitation will prevent them from accessing the assessment without disrupting access for anyone else included in the invitation.
Clicking the link in their email will take the respondent to a landing page where they will see a list of all of the workflows they need to complete. Progress is saved from page to page, and responses can be edited after completion.
When each workflow in an assessment is completed, both the person who sent the invitation and the person who completed each workflow will receive a confirmation email with a link to view the response.
Commenting on third party assessments
Third party assessments allow you to send messages back and forth within the platform if any questions arise. When the invited third party leaves a comment on the assessment, an email notification will be sent to the user who invited the third party to the assessment.
Using taxonomy questions in third party assessments
Taxonomy questions are useful for collecting answers in the form of structured data, since they ask users to respond by selecting one or more items from one of your org's existing taxonomies. (Taxonomies are databases of information pertaining to how your org uses data. Some common TerraTrue taxonomies are data types, data uses, third parties, processing locations, and retention periods. TerraTrue provides a robust set of default taxonomies, but administrators in each org can also customize these taxonomies with their own items.)
It's important to remember that sending a taxonomy question to a third-party user will allow that user — and anyone else who has access to the secure assessment link — to see all of your org's taxonomy items of the type included in the question. If, for example, you ask a third-party user to select an answer from your org's taxonomy of data uses, the recipient will be able to see every data use that your org has stored in that taxonomy — including TerraTrue's default items and your org's custom items. The recipient would not be able to see any other taxonomy types — such as retention periods or processing locations — unless you were to send them a taxonomy question that uses that particular taxonomy type.