RISKRECON RELEASE NOTE
March 10, 2019
Release Name: Vendor Assessment Tuning
Availability Date: Immediately
License Requirements: Available to all Customers
Summary
RiskRecon is pleased to announce that customers can now tune the scope of systems included for each vendor assessment. This capability enables you to identify key systems that are particularly important and to ignore systems that are of no concern to your organization. Systems you identify as “key” are given special designation in the risk priority matrix. Additionally, issues of key systems are always included in the action plan. Issues for systems flagged as “ignore” are suppressed in the security profile and are not included in the action plan.
The assessment tuning module, coupled with the risk policy, enable you to focus precisely on the issues you care about for the systems that matter to you.
Assessment Tuning Module
The Assessment Tuning functionality is contained within the Company Profile module of each company. Assessments are tuned at the company level to enable you to uniquely identify systems for each company that are key and systems that are to be ignored. Key and ignore systems are identified by any combination of domain name, hostname, or IP address.
Case Study: Healthcare Training XYZ
In our fictitious scenario, Healthcare Training Xyz provides our employees online healthcare training through the site elearning.healthcaretraining.xyz. In this system, employees enter authentication credentials and personally identifiable healthcare information.
Configuring Key Systems
Since our analysts are particularly concerned with the security posture of elearning.healthcaretraining.xyz, they add a host-level rule to the Assessment Tuning Key Systems policy by clicking on the “+” sign in the Hosts box. From there they select the system, found either by search or scroll. In this case, we also added a comment to record why the system is primary in risk relationship with Healthcare Training.
With the key system configuration implemented, our analysts now have the assessment configured to highlight any issues that exist in our key system – elearning.healthcaretraining.xyz.
Key Rule Benefit: Risk Priority Matrix
Upon implementing this configuration, our analysts notice that the Risk Priority Matrix now has a new asset value of “key” which calls out any issues that exist in our key system. This makes it easy for our assessors to rapidly determine if any issues exist in the most important system in our relationship with Healthcare Training. In this case, the certificate subject of elearning.healthcaretraining.xyz is invalid, preventing users from being able to validate the authenticity of the system.
Key Rule Benefit: Security Profile
Diving into the assessment details contained in the Security Profile for more information, we find that it is easy to identify the criteria and detailed findings that are related to our key system. Scrolling through the security domains, a “key” icon identifies the criteria where issues exist in our key system. As shown in the Risk Priority Matrix, the Certificate Subject criteria of the Web Encryption domain has one or more issues for our key system.
Clicking into the Web Encryption domain to see the details, our analysts see that the Certificate Subject criteria has a “key” icon next to the rating and that issues for our key system are flagged by a new asset value of “Key”.
Configuring Ignore Systems
As our analysts are engaged with Healthcare Training they naturally raise issues regarding their mobile site, m.healthcaretrainingxyz. The vendor explains that the system is a prototype that is standalone and has none of our data. Agreeing with their assessment, our analysts simply crack open the Company Profile and add an “ignore” rule to our Assessment Tuning Policy.
Ignore Rule Benefit: Security Profile
The first benefit our analysts realize is that all issues associated with ignore systems are suppressed in the Security Profile. This enables our analysts to focus on the issues that matter, automatically ignoring issues of systems that don’t matter. As shown below, the ignore system issues still show up in the Security Profile, but they are greyed out and are inactive.
If our analysts wonder about the grayed-out issue, they simply click and are shown a brief explanation.
Ignore Rule Benefit: Action Plan
Our analysts also benefit from this functionality because all issues associated with an ignore rule are automatically excluded from the action plan. As such, so long as the rule for m.healthcaretraining.xyz is in place, they will never ask the vendor to address the issues.
Configuring Ignore All Systems
Based on further internal discussions, our analysts decided that they will only act on issues associated with our key system – elearning.healthcaretraining.xyz. To implement this policy, our analysts simply select the option to ignore all non-key systems. Simple!
With all issues expect those for our key system ignored, the Security Profile for the Certificate Subject criteria greys out all findings except the one for our key system.
Customer Support
The Assessment Tuning module is yet another RiskRecon capability that makes it easy for you to understand and act on your risk. In this case, Assessment tuning enables you to focus your assessments on precisely what is important to you, highlighting systems of key risk and ignoring those of no concern.
You can learn more about this and other RiskRecon functionality through the support center, accessible from the RiskRecon portal. There you will find additional documentation and user videos. You are always encouraged to contact us directly through support@riskrecon.com or through the chat feature in the RiskRecon portal.