The Portfolio Breakdown page provides an in-depth breakdown of overall risk by vendor population.
- The Risk Heat Map shows the Likelihood and Impact Rating of risk across your entire vendor portfolio.
- The Risk Rating Breakdown displays risk by Managed, Low, High, and Medium ratings.
- The Threshold Breakdown displays risk by the depth of review of the vendor’s security practices.
Portfolio Breakdown Page
- If you want to understand the Risk Heat Map, go to View the Overall Vendor Risk by Heat Map.
- If you want to understand the Risk Rating Breakdown, go to View the Overall Vendor Risk by Risk Rating Breakdown.
- If you want to understand the Threshold Breakdown, go to View the Overall Vendor Risk by Threshold Breakdown.
- If you want to understand your risk from a specific vendor, go to View the Overall Risk by Vendor.
View the Overall Vendor Risk by Heat Map
The Risk Heat Map displays risk ratings plotted according to Likelihood and Impact Rating. If you click a specific data point in the heat map, you can view the Portfolio by Risk Category.
Risk Heat Map
- Likelihood and Impact Rating: This indicates the probability of a threat occurring. The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities). The likelihood risk factor combines an estimate of the likelihood that the threat event will be initiated with an estimate of the likelihood of impact (i.e., the likelihood that the threat event results in adverse impacts).
View the Portfolio by Risk Category
You can view more detailed information regarding risk either by clicking a data point in the heat map or by clicking the Portfolio by Risk Category tab.
Portfolio Breakdown Environment by Risk Category
- The Portfolio Breakdown Environment by Risk Category indicates how many environments fall into each score grouping. Click the number to drill down and see which vendors and environments make up that count. The primary purpose of this tab is to drill down into risk breakdown for your vendor environment population.
View the Overall Vendor Risk by Risk Rating Breakdown
The Risk Rating Breakdown displays overall risk for validated assessments by risk rating.
You can view a visual of the distribution of risk ratings for all environments. The data only includes all validated key controls and validated programs, pre-assessment and unvalidated information are filtered out. Assessments of discontinued environments are filtered out.
Risk Rating Breakdown
- Managed: The assessment identified controls that are implemented and aligned with reasonable industry practice. The likelihood of a breach is minimized to a level where no remediation is necessary, and the vendor should maintain the controls that are in place.
- Low: The assessment identified controls that are partially aligned with reasonable industry practice. Remediation is encouraged; although, there is a low likelihood of an immediate breach.
- Medium: The assessment identified controls that are partially implemented and partially aligned with reasonable industry practice. Remediation activities should be identified and planned with corrections implemented in the near term to avoid a potential breach.
- High: The assessment identified few controls that are implemented and aligned with industry best practice. Remediation activities should be identified and planned with corrections implemented as there is a high likelihood of an imminent breach.
- Very High: The assessment identified a vulnerability that indicates an existing or imminent breach. Incident response activities should be activated.
View the Overall Vendor Risk by Threshold Breakdown
The Threshold Breakdown displays risk by the depth of review of the vendor’s security practices (i.e., Pre-assessment, Unvalidated Information, Validated Key Controls, Validated Program).
The visual is interactive. If you click a threshold, the page updates to reflect that threshold.
Threshold Breakdown
- Validated Program: An audit of evidence and review of third-party assurances for the vendor's entire security program and all key controls.
- Validated Key Controls: An audit of evidence and review of third-party assurances for a subset of key controls.
- Pre-Assessment: Review of a vendor's security practices based on publicly available information.
- Unvalidated Information: Review of a vendor's questionnaire responses.
View the Overall Vendor Risk by Vendor
You can view the risk for each vendor in a table format. You can determine which vendors present the highest risk.
Risk by Vendor
- Vendor Name: This indicates the name of the vendor being assessed.
- Environment: This indicates the environment being assessed.
- Assessment Start Date: This indicates the starting date of the first assessment.
- Assessment #: This indicates the number of assessments that the vendor has completed.
- Risk Rating: This indicates the vendor’s overall risk rating. The indicator is color-coded based on the rating.
- Likelihood: This indicates the likelihood that the vendor will experience a breach using a letter grade where A is not likely (low risk) and D- is the most likely (high risk).
- Threshold: Indicate the vendor’s current threshold.
Comments
Please sign in to leave a comment.