TPRM Intake & Vendor Procurement Workflow Automation 

Designed and built an automated Third-Party Risk Management intake workflow to improve vendor onboarding, procurement coordination, and audit readiness.

The workflow used Slack, Zapier, Trello, and Google Drive to capture vendor requests, identify whether the vendor required system access, notify the appropriate stakeholder, create a vendor review tracking card, generate an evidence folder, and link the documentation back to the workflow record.

This project was designed to solve a common TPRM problem: vendor requests often come in through informal channels, creating gaps in tracking, ownership, evidence collection, and approval visibility. By automating the intake process, the workflow helped reduce manual handoffs, improve consistency, and create a more defensible vendor review process.

What I Built

Built an automated workflow that:

• Captures new vendor procurement requests from Slack.

• Extracts key vendor information from the request.

• Identifies whether the vendor requires system access.

• Filters requests so only vendors requiring system access move forward for security review.

• Sends a notification to the appropriate stakeholder or approver.

• Creates a Trello card to track the vendor review.

• Creates a Google Drive folder for vendor assessment evidence.

• Links the Google Drive evidence folder back to the Trello tracking card.

• Preserves request details and timestamps for better traceability.

Business Problem Solved

Many organizations manage vendor requests through email, Slack, spreadsheets, or informal conversations. That creates risk because vendor reviews can be missed, evidence can become scattered, and security teams may not be notified early enough when a vendor needs system access.

This workflow improves the process by creating a structured intake path that supports better visibility, accountability, and audit readiness.

Why This Matters to Companies

This matters because vendor onboarding is not just a procurement activity. It is a risk management activity.

When a vendor requires access to systems, data, applications, or business processes, the company needs a repeatable way to identify the risk, notify the right stakeholders, track the review, and collect evidence. Without that structure, organizations increase the risk of unauthorized access, incomplete due diligence, missed approvals, and weak audit trails.

This automation helps companies move from a reactive vendor intake process to a more controlled, risk-based workflow.

Tools Used

Slack | Zapier | Trello | Google Drive

Prompt 

VENDOR REQUEST AUTOMATION ZAP - COMPLETE BUILD PROMPT,

Zap Purpose: Automate vendor procurement requests from Slack → Filter by system access requirement → Notify approver → Create Trello card & Google Drive folder → Link them together

EXACT CONFIGURATION:

Step 1 - Slack Trigger

• App: Slack,

• Action: New Message in Channel,

• Channel: #new-process,

• Listen for: All messages (include bot messages: ON, Raw text: ON),

Step 2 - Extract Vendor Name

• App: Formatter by Zapier,

• Action: Text → Extract Pattern,

• Input: {{340627605__text}},

• Pattern: Vendor Name:\s*(.+),

• Output: {{340627606output0}},

Step 3 - Extract System Access Answer

• App: Formatter by Zapier,

• Action: Text → Extract Pattern,

• Input: {{340627605__text}},

• Pattern: Use prior to[^:]*:\s*(Yes|No),

• Output: {{_GEN_1766543364603output0}},

Step 4 - Filter for "Yes" Only

• App: Filter by Zapier,

• Condition: {{_GEN_1766543364603output0}} equals "Yes" (case-insensitive),

• Action: Continue (if true),

Step 5 - Send Slack DM Notification

• App: Slack,

• Action: Send Direct Message,

• To User: Haley (or recipient username),

• Send as bot: NO (from your account),

• Message: "Hi (Name), heads-up regarding {{340627606output0}}. The request justlanded in my queue a few minutes ago, and it looks like they will need system access.\n\nI'm starting the security review now, but I wanted to share this ahead of time to help with your planning."

Step 6 - Create Trello Card

• App: Trello,

• Action: Create Card,

• Board: Sanity Check,

• List: New Request,

• Card Name: {{340627606output0}} (vendor name only),

• Description: [Full request details from original message],

• Request Date: {{340627605__ts_time}} (Slack message timestamp),

Step 7 - Create Google Drive Folder

• App: Google Drive,

• Action: Create Folder,

• Parent Folder: Vendor Assessments,

• Folder Name: {{340627606output0}}/ Sanity Check,

Step 8 - Update Trello Card with Drive Link

• App: Trello,

• Action: Update Card,

• Board: Sanity Check,

• Card ID: {{_GEN_1766546117815__id}} (from step 6),

• Description: Link to Google Drive folder:{{_GEN_1766546117816__alternateLink}},

• Overwrite Description: YES,

KEY DATA FLOWS:

• Vendor Name flows through entire Zap: Step 2 → Steps 5, 6, 7, 8,

• System Access answer: Step 3 → Step 4 (filter gate),

• Slack timestamp: Step 1 → Step 6 (Request Date),

• Trello card ID: Step 6 → Step 8 (updates same card),

• Google Drive folder link: Step 7 → Step 8 (appends to card),

IMPORTANT NOTES:

• Slack channel: #new-process (C0A58SDAT7F),

• Only executes if "Yes" to system access (Step 4 filter),

• Google Drive folder created BEFORE updating Trello (workflow order critical),

• All timestamps use Slack's native message timestamp,

• DM sent to you () - change recipient as needed

Teaching Hands-On Risk Management in Cybersecurity & GRC

In cybersecurity and GRC, real impact isn’t just about compliance—it’s about managing real risk. As an instructor, I provided hands-on training to a cohort of 10–15 students, teaching them how to build and manage a Risk Register that goes beyond simple attestation. Using NIST CSF 2.0 (Identify & Respond functions) and PCI DSS 4.0.1’s risk-based approach, I guided students through the process of identifying, assessing, and prioritizing security risks that truly impact an organization’s security posture.

But identifying risks isn’t enough. To translate risks into actionable business value, I taught students how to develop a Plan of Action and Milestones (POAM)—a structured approach that connects risks to accountable remediation efforts. My training aligned with:

✔ NIST CSF 2.0: Teaching students how to apply ID.AM-01 (Asset Management), ID.RA-01 (Risk Assessment), RS.AN-03 (Incident Analysis), and RS.MI-01 (Incident Mitigation) to enhance risk visibility and response.
✔ PCI DSS 4.0.1: Providing real-world application of 6.3.1 (Risk-Based Vulnerability Management), 12.3.2 (Risk Assessment for Custom Controls), and 11.6.1 (Continuous Threat Monitoring for Payment Pages) to ensure risk-informed security decisions.

Why This Matters for Future GRC Professionals

✅ Prepares students for real-world cybersecurity risk management, ensuring they can assess and mitigate risks in an enterprise setting.
✅ Strengthens decision-making skills, enabling students to prioritize security threats based on business impact rather than checkbox compliance.
✅ Builds proactive security leaders by teaching how to integrate risk management frameworks into governance, compliance, and security operations.

GRC isn’t about checking boxes—it’s about making informed security decisions that protect critical assets and support business growth. Through practical, hands-on learning, I equip students with the skills they need to transition into cybersecurity risk and compliance roles, ensuring they can apply risk-based thinking to drive security resilience.

I developed a comprehensive, AI-driven study guide for the CompTIA Security+ certification exam, tailored to provide aspiring cybersecurity professionals with a streamlined, effective learning experience. This resource leverages advanced AI technology to deliver essential knowledge and skills, supporting not only certification success but also a robust start to careers in cybersecurity.

Key Features of the Study Guide:

• Complete Coverage of Exam Objectives: Aligned with CompTIA’s Security+ blueprint, this guide covers all critical areas, from risk management and incident response to cryptography and access control, ensuring learners have a solid grasp of each core topic.

• Simplified Explanations of Complex Concepts: Utilizing AI-powered content generation, I transformed intricate cybersecurity concepts into accessible explanations, enriched with real-world examples and applications to deepen understanding.

• Actionable Insights and Expert Tips: Drawing from my industry experience, I included practical advice and recommendations to help learners navigate common challenges, enhancing their preparation journey with valuable insider perspectives.

• Enhanced Learning Experience Through AI: With Perplexity’s AI platform, I organized a vast amount of information into an intuitive, easy-to-follow format, making the learning process more efficient and engaging.

To advance inclusivity in cybersecurity, I’ve made this resource freely accessible, removing financial barriers that often limit access to high-quality educational materials. My goal is to democratize cybersecurity education, empowering aspiring professionals with the tools they need to thrive and contribute to a capable, diverse workforce poised to meet the demands of an evolving digital landscape.

Through this AI-powered guide, I aim to inspire, inform, and equip the next generation of cybersecurity talent, helping them take confident steps toward earning their Security+ certification and making a positive impact on the industry.