Whistic was built for ease of use with the goal of getting customers fully functional within 30 days. The pre-setup process is done in the program’s automation section before deploying the product, outlining what business units are available for reporting and tracking purposes as well as internal systems impacting risk. Criticality levels are provided out of the box in addition to customizable inherent risk ratings and notifications.
Vendors can be reassessed, establishing a renewal cadence based on risk classifications. If asking the same questions, just update responses with any changes. The vendor intake form is fully customizable and kicks off the vendor assessment process. Automation takes the burden off security teams. It can be integrated via API into a procurement tool.
A variety of standards are supported with out-of-the-box templates. New frameworks are continuously added. It is the only vendor risk management product with an assessment questionnaire from the Vendor Security Alliance. You can build your own questionnaire or import an existing company spreadsheet. Extensive logic is supported. Questions can be assigned to users with automated, intelligent email reminders and progress tracking throughout. Users can easily request clarifications by simply checking the “needs clarification” box – this functions like internal messaging capabilities, with back-and-forth communication captured within the platform.
The review supports a customizable writeup generated as a report or a paragraph of comments. Final reports are generated and saved on vendor accounts, compiling all information in an executive summary. Reports in this format are viewable by anyone with role-based access.
Scores are conducted with the patent-pending, risk-scoring algorithm called “CrowdConfidence.” It is derived from research conducted with a panel of more than 600 IT security professionals to discover what security controls are most important. And it supports integration with RiskRecon’s rating services.
Whistic Security Profile can be purchased separately. It plainly functions like a profile for security and compliance, outlining how a security professional would secure data. It can be used to respond to customer questions, highlighting your security team, any supporting documents, common policy documentation, audits and certifications. Standardized questionnaire frameworks add to your profile, eliminating the need to respond to a spreadsheet of questions. You can easily share your profile with customers and build out multiple versions of your profile. New framework additions set to come out in the first quarter include PCI, ISO, a 2019 version of SIG and a 2019 version of VSA.
Tested by Matthew Hreben