Sending over to @Dsharpe as a supplier assessment. David, please let me know if we should send these your way via some other workflow?

Hello @CKoerner_WMF ! My understanding ready through this task is that we haven't bought anything from https://theeventscalendar.com/ yet. If the Foundation decides to do so, then when that spend flows through Coupa it should be marked as a SaaS-related request and automatically trigger a vendor security review. I haven't seen anything about this purchase in Coupa. Did I miss something?

@Dsharpe You haven't missed anything. We didn't know if it was best to alert you before we made any purchase as we didn't want to buy something only to have Security say no. If it's normal to proceed as you describe I can talk to my supervisor to make that happen.

Yes, it is the current process for most things. We'll jump in as part of the Coupa process (for SaaS-related vendors only right now) because we don't have the capacity to review potentially several vendors for every initiative across the Foundation. Once a team has progressed far enough to where they are ready to buy, then we take a look. The Coupa process might also, depending on what is being purchased, kick off other helpful reviews by Legal and Privacy.

For screening vendors, meaning as you whittle your list of possibilities down to just one, folks can use https://office.wikimedia.org/wiki/Security/Guides/Supplier_and_Provider_Initial_Risk_Assessment_Questions. If a vendor doesn't have answers for those items available on their website, it normally helps to ask about at least those 12 items to see how the vendor responds. People doing privacy reviews might ask more, but those 12 questions are a good start for the vendor security review side of the process.