Skip to content

MgnCoding2020/Vendor-Risk-Assessment-Lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
docs
docs
 
 
due-diligence
due-diligence
 
 
final-assessment
final-assessment
 
 
findings
findings
 
 
intake
intake
 
 
remediation
remediation
 
 
risk-scoring
risk-scoring
 
 
scenario
scenario
 
 
README.md
README.md
 
 

Repository files navigation

Vendor Risk Assessment Lab

This repository demonstrates the execution of a vendor risk assessment as part of a broader Governance, Risk, and Compliance (GRC) program.

This project builds on templates developed in the GRC Program Design (Coffee Shop) repository, where draft vendor risk management artifacts were created.

Assessment Scenario

A small coffee shop company is evaluating a third-party cloud payroll and HR vendor to support employee management and payroll processing.

The vendor will process sensitive employee information including:

  • Employee personally identifiable information (PII)
  • Payroll and tax information
  • Direct deposit details

Because the service involves sensitive financial and employee data, the vendor must undergo a formal vendor risk assessment.

Assessment Workflow

The vendor assessment follows a structured workflow:

  1. Vendor Intake Review
  2. Inherent Risk Evaluation
  3. Vendor Due Diligence Review
  4. Findings Documentation
  5. Risk Mitigation or Exception Tracking
  6. Final Risk Determination

Each stage of the assessment is documented in this repository.

Repository Structure

scenario/
    vendor-profile.md

intake/
    vendor-intake.md

risk-scoring/
    inherent-risk-score.md

due-diligence/
    security-review.md

findings/
    vendor-risk-findings.md

remediation/
    remediation-tracker.md

final-assessment/
    vendor-risk-assessment-report.md

docs/
    glossary.md

Governance Context

The artifacts used in this lab are based on vendor risk management templates created in the GRC Program Design repository, which simulates the governance framework for a small coffee shop business.

Those templates include:

  • Vendor Intake Questionnaire
  • Inherent Risk Scoring Worksheet
  • Vendor Due Diligence Checklist
  • Vendor Risk Assessment Template

This lab demonstrates how those governance artifacts can be used in practice during a vendor assessment.

Key Concepts Demonstrated

This repository highlights several core GRC concepts:

  • Risk-based vendor evaluation
  • Third-party risk management
  • Security due diligence
  • Structured risk documentation
  • Residual risk determination
  • Governance alignment

The assessment approach is influenced by common risk management practices and security control frameworks such as NIST-style risk evaluation principles.

Purpose of This Lab

This project is designed to demonstrate:

  • Practical GRC documentation skills
  • Vendor risk assessment workflow
  • Risk evaluation and decision documentation
  • Structured Git repository management

The repository is intended as a portfolio artifact demonstrating how governance processes translate into operational risk assessments.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors