Skip to content
Galink Help Center home
Galink Help Center home

Typical Vendor Risk Workflow

Galink follows a structured workflow to manage vendor risks from onboarding to ongoing monitoring. Here is the typical end-to-end process.

Workflow overview

Add a vendor --> Tier the vendor --> Request resources --> Analyze resources & flag findings --> Complete an assessment

Step 1: Add a vendor

Start by adding a new vendor to Galink. Vendors are identified by their domain/URL, which is mandatory at creation. You can add a vendor directly from the Vendors tab or through the Vendor Request Form (shared with Procurement teams).

Step 2: Tier the vendor

Classify the vendor's risk level using the tiering form. The form evaluates three criteria:

  • Type of data processed -- What kind of data does the vendor have access to?

  • Operational impact -- What would be the impact if the vendor were unavailable for 24 hours?

  • Access level -- What level of access does the vendor have to your systems?

Based on the scoring, the vendor is assigned a tier:

Tier

Tier 3 (Low risk)

Tier 2 (Medium risk)

Tier 1 (High risk)

Step 3: Request resources

Request the necessary documentation and evidence from the vendor. This can include:

  • Custom Questionnaires -- Security questionnaires tailored to your requirements.

  • Galink Assessments -- Managed security assessments conducted by Galink analysts.

  • Other resources -- Certifications (SOC 2, ISO 27001), pentest reports, security policies, and other supporting documents.

Resources are sent to vendors through the Vendor Portal, where they can respond and upload documents.

Step 4: Analyze resources and flag findings

Once the vendor provides resources:

  • AI-powered analysis automatically reviews questionnaire responses and evidence documents.

  • Findings are flagged for each identified security gap or non-conformity.

  • The Security Officer reviews the AI analysis, approves or rejects evidence, and adds additional findings as needed.

Each finding is categorized by:

  • Severity: Critical, High, Medium, or Low

  • Treatment plan: Accept, Mitigate, Needs review or Not applicable

Step 5: Complete an assessment

Finalize the vendor's security assessment by:

  1. Reviewing the summary of all findings and resources.

  2. Making an approval decision.

  3. Setting the next assessment date (default: +1 year from current date).

The assessment decision is recorded, and the vendor's status is updated accordingly. Previous assessments are stored in the activity log for full traceability.

Ongoing monitoring

After the initial assessment, Galink supports continuous vendor risk management through:

  • Reassessments -- Triggered when the next assessment date is reached.

  • Remediation tracking -- Monitor vendor progress on corrective actions.

  • Shadow IT detection -- Identify new, untracked applications used in your organization.

  • OSINT monitoring -- Detect recent data breaches associated with your vendors.

Powered by Plain