Key Concepts
Understanding the core concepts of Galink will help you navigate the platform and manage your vendor risk program effectively.
Core terminology
Concept | Description |
|---|---|
Vendor | We use the term vendor broadly: it can refer to a third-party supplier, an application, or a service, depending on your needs. |
Tiering | Risk-level classification of a vendor based on data sensitivity, operational impact, and access level. |
Assessment | A security evaluation of a vendor based on findings, questionnaire responses, and supporting evidence. |
Resources | Documents, Galink Assessments, or Questionnaires provided by or requested from vendors. |
Findings | Observations and issues flagged during the analysis of vendor resources and questionnaires. |
Remediation Plan | A set of corrective actions linked to findings, shared with the vendor for resolution. |
Security Owner | The person in your organization responsible for managing a specific vendor's security review. |
Business Owner | The person in your organization who owns the business relationship with a vendor. |
Vendor lifecycle
Vendors in Galink follow a lifecycle that tracks their current state:
Live -- The vendor is actively used and managed.
Archived -- The vendor is no longer actively managed but records are retained.
Assessment status
Each vendor has an assessment status indicating where they stand in the review process:
Needs initial review -- No prior assessments have been completed for this vendor.
Needs review -- The next assessment date has passed and a new review is required.
Up-to-date -- The vendor has been assessed and the next assessment date is in the future.
Organization
Organizations allow you to partition vendors, resources, and findings by business unit, country, or subsidiary. This enables delegation of responsibilities and scoped visibility.