The core capability of OneTrust’s third-party risk offering is the ability to create and automate workflows for onboarding and offboarding vendors. This helps users maintain an inventory of their vendors along with relevant information such as risk tiers, service types, and commercial timeframes.
UpGuard can help organizations automate their third-party risk assessment and vendor compliance due diligence processes. UpGuard’s solution capabilities work to optimize third-party risk management workflows.
Security Questionnaire Workflows & Exchange
OneTrust: Allows users to automate the security questionnaire process with pre-built questionnaires aligned with common security frameworks, standards, and regulations, Users are also able to create custom-built questionnaires that can be sent to vendors via the same automated process with multi-language support included.
OneTrust offers customers access to an exchange of pre-completed security questionnaires and other vendor due diligence information, such as relevant certifications. OneTrust’s exchange aims to reduce the operational overhead and time costs of gathering questionnaire responses.
By using this information, customers can better understand the risk impacts of a given vendor’s internally managed security policies, controls, and practices.
UpGuard: Also automates the security questionnaire process, allowing users to choose from a library of pre-built questionnaires, including recognized security frameworks like ISO 27001, PCI DSS, NIST CSF, GDPR, and CCPA.
Users can create and send custom questionnaires to vendors using the assessment builder. Users may also access UpGuard’s database of pre-completed vendor security questionnaires from the Shared Assessments Exchange.
UpGuard’s Compliance Reporting feature enables users to easily identify which areas of these security frameworks their vendors do or don’t comply with by mapping results from these questionnaires to their respective frameworks.
Attack Surface Monitoring
Attack surface monitoring capabilities allow security teams to discover, measure, and monitor the security risks associated with a vendor’s public-facing domains, subdomains, and IP spaces.
Unlike OneTrust, UpGuard allows for the monitoring of such risks with continuous checks for the presence of standard security configurations and controls, such as SPF, HTTPS. Additionally, UpGuard monitors public-facing ports for any changes, highlighting areas of inconsistency with best practice settings.
Furthermore, UpGuard’s platform gathers risk intelligence on third-party data leaks, identity breaches, potential fraud from typosquatting, and compromised corporate email accounts. These intelligence sources are indispensable to gaining a comprehensive view of supply chain and third-party risk.
OneTrust: Offers remediation planning capabilities based on risks identified in vendor questionnaires, but does not provide remediation tracking for security risks present on a vendor’s external attack surface.
UpGuard: Also offers remediation planning capabilities. Users can create a remediation plan which projects security ratings based on the remediation of specified risks.
The platform also allows users to request remediation based on automated scanning and questionnaire risks identified in monitored vendors, with real-time updates highlighting when vendors fix any identified issues.