In this article:
Integrate SecurityScorecard data with the Coupa business spend management (BSM) platform to quickly assess the security posture of any of your suppliers.
With the integration you can view a supplier's overall score, factor scores, five most critical issues, a graph showing the overall score over the past six months, and a link to view the supplier's Scorecard.
Integration options
This integration provides two options:
- The Panel App, which is free, shows the overall security score and factor scores on Supplier pages.
- The SecurityScorecard Cybersecurity Risk Insights data feed adds SecurityScorecard as a risk criteria source for the Supplier Health Score. To integrate it, you need the Coupa Risk Aware module.
Before you get started with the integration
Make sure to do the following before setting up the integration:
- Designate someone with administrative permissions in SecurityScorecard and Coupa to set up the integration.
- If you do not have a SecurityScorecard API key, create one.
Note: If you are only installing the Panel App for the Coupa Core platform, complete Steps 1 through 4. To add SecurityScorecard Cybersecurity Risk Insights to the Coupa Risk Aware module, complete Steps 1 through 7.
Step 1: Install Panel App
- Go to the Coupa Marketplace Listing for the SecurityScorecard Cybersecurity Risk Insights App.
- Click Get Started to install the panel app.|
- Complete the registration form and click Submit.
- Click Install now.
- Enter your Coupa instance URL and click Continue.
The setup redirects you to the Community > Community Exchange your Coupa instance.
- Click Download.
Step 2: Create an OAuth2/OpenID Connect Client in Coupa
- In the Coupa Admin Home page, click Setup (Integrations) and select Oauth/OpenID Connect Clients.
- Click Create.
- In the Create Client window, set the following values:
-
- Grant type = Client credentials
- Name = SecurityScorecard
- JWKS URI = blank
- Login = SecurityScorecard
- Contact First Name = your first name
- Contact Last Name = your last name
- Contact Email = your email address
- Scopes:
- core.supplier.read
- core.supplier.risk_aware.read
- core.supplier.risk_aware.write
- core.supplier.write
- Click “Save”
- Note the displayed Identifier and Secret.
Step 3: Configure the SecurityScorecard Cybersecurity Risk Insights App
- On the home page of your Coupa dashboard, select Setup from the primary menu.
- Search for iFrames and Panels under Platform.
- Edit the SecurityScorecard Cybersecurity Risk Insights App to set the App Properties.
-
- Securityscorecard Apikey: API token that you create in SecurityScorecard
- Datamap App Code:
- Coupa Oauth Clientid: OAuth2 Identifier you created in Step 2
- Coupa Oauth Client Secret: OAuth2 Secret you created in Step 2
- Risk Custom Field Number 1 to 10: Supplier Risk Aware Feed numeral that you enter in Step 6.)
- After entering the App Properties, check to make sure the app is enabled. In the Actions column for the app at Setup > IFrames and Panels, make sure the slider is set to the active position:
Step 4: Set up custom fields for SecurityScorecard
- Return to the Setup page and search for Custom Fields in the Company Setup section.
- At the top of the page under Select an object to customize use the dropdown menu to select Suppliers.
- Click and drag the Text Field box from the list of objects in the right region, and pull it into the Suppliers region on the left.
- Click the new text field you added to the Suppliers region, and set the field parameters.
-
- Prompt = SecurityScorecard Domain
- Field Name = securityscorecard_domain
- Format = Text
- Active = Select
- Editable = Select
- Required = Do not select
- Click Done.
Step 5: Populate the SecurityScorecard Domain field for each of your suppliers
From the Coupa home page, click Suppliers. Then clic the pencil icon in the Actions column to edit the supplier record. You will find the SecurityScorecard Domain field in the Additional Settings section of the supplier record.
From the Coupa home page, click Suppliers and select a supplier name to verify that the SecurityScorecard Cyber Risk Insights panel is showing data.
Note: If you are only installing the panel app for the Coupa Core Platform, you have completed setup. To map SecurityScorecard score for use within Coupa Risk and Performance Management (RPM and RPMA), continue with the following steps.
Step 6: Set up Supplier Risk Aware Feed
- On the Custom Fields page Select an object to customize using the dropdown box, and click Supplier Risk Aware Feed.
- Select an unused Number Field, and set the following field parameters:
-
- Prompt: SecurityScorecard Score
- Originally: The numeral you enter for the Number Field is also the numeral you enter for App Properties in Step 3.
- Active: Select the check box.
- Hint: Higher is Better
- Range: 0 to 100
- Click Done
Step 7: Set up the Supplier Health module
- Return to the Setup page and search for Supplier Health under the Suppliers section.
- In the Calibrate Risks section (Setup > Suppliers > Supplier Health), assign weights to the risk criteria to create your own formula for evaluating supplier risk. If SecurityScorecard Ratings are your primary indicator of risk, we recommends a high score (over 70 percent) to ensure the health score is a reflection of the SecurityScorecard Rating.
Step 8: Verify that SecurityScorecard Cyber Risk Ratings data appears
Check Supplier Risk Score and custom views of the Risk Aware Table:
- SecurityScorecard Score within Supplier Health on a supplier record:
- SecurityScorecard Score in a custom view of the Risk Aware table:
FAQ
Do I need a SecurityScorecard license?
Yes. Access your Complementary Enterprise License available to Coupa customers here: https://securityscorecard.com/coupa/. The license allows you to monitor your own organization as well as up to 50 suppliers, for 90 days with access to a dedicated customer success manager and the SecurityScorecard support team.
What data does this pull in for a given organization?
Currently, the top-level Scorecard score.
How often does this data update?
SecurityScorecard ratings are updated daily, and the the integration fetches the data daily or when a you view a supplier.