As mentioned in Phase 2 – Classification, High and Medium impact third parties need to be assessed for residual risk. Residual risk is another term that isn’t common to all people, so we’ll define it. Residual risk is the amount of risk that remains (residual) after the consideration of controls that are in place and any applicable threats. Residual risk assessments attempt to validate, qualify, and/or quantify risk related to threats and vulnerabilities, using inherent risk as a base input.
The first place to check for residual risk is an assessment that the third party may have already completed; an assessment that is high quality, fits our definitions of “information security” and “risk,” and represents risk. For SecurityStudio, this is the S2SCORE. The logic is simple: Does the third-party have a current S2SCORE or not?
Current Acceptable S2SCORE
If the third party has a current S2SCORE, then Phase 3 – Risk Assessment is complete for now, and the score is evaluated as part of Phase 4 – Risk Treatment. A threshold for S2SCORE must be set by the organization, and an automated comparison is made.
S2SCORE is calculated on a scale between 300 – 850, with 300 representing an infinite amount of risk and 850 representing no risk at all. Obviously, it’s not possible to have infinite risk or no risk, so all S2SCOREs fall between the range. Organizations that have not defined a specific threshold will typically accept a default S2SCORE of 660.
If the S2SCORE is acceptable, meaning it meets or exceeds your threshold, then the process is complete for you and the third party. That’s it!
If the S2SCORE is not acceptable, meaning it does not meet your threshold, then the process remains in Phase 3 – Assessment for next steps. An unacceptable S2SCORE follows the same process as not having a S2SCORE at all.
No Current Acceptable S2SCORE
Third parties that do not have a current S2SCORE and third parties that do not have an acceptable S2SCORE will receive a questionnaire that is commensurate with the level of inherent risk they pose to the organization. Third parties that are classified as High receive the High Residual Risk Questionnaire, and third parties that are classified as Medium receive the Medium Residual Risk Questionnaire.
All notifications to third parties are managed by SecurityStudio so that administrators don’t need to track and manage follow-up tasks.
All questionnaires are completed via an authenticated and secure online portal provided to the third-party provider.
High Residual Risk Questionnaire
By default, the High Residual Risk Questionnaire leverages simliar criteria* used in calculating the S2SCORE. This is important for (at least) five reasons:
- Validation of the questionnaire will result in a genuine S2SCORE that can be reused in other applications.
- The common set of criteria allows for better comparisons and consistent baselining across all third parties.
- Deliverables from the S2SCORE can be used to build the third-party security program and/or identify the greatest areas of concern accompanied by actionable recommendations. The S2SCORE provides value to the third party in this way.
- For the most impactful third parties, a S2SCORE can be validated by personnel who are certified by SecurityStudio® to complete validations. This ensures consistency across organizations who use SecurityStudio and S2SCORE.
- Validation of the S2SCORE can be done using in-house personnel, through SecurityStudio, or through any of the SecurityStudio partners. Today there are more than a dozen SecurityStudio partner organizations who are certified to perform validations.
Medium Residual Risk Questionnaire
By default, the Medium Residual Risk Questionnaire leverages the same criteria used in the calculation of the S2SCORE Estimator. The S2SCORE Estimator is a freely available assessment provided to anyone online and is also built into SecurityStudio. The important reasons why we’ve chosen to use the same criteria include some of the following:
- Any organization, with or without the use of VENDFENSE can get a score that can be leveraged without cost to the third party and be reused for third-party information security risk management if the inherent risk calculation results in a Medium classification.
- Ensures consistency within SecurityStudio and all other uses of the S2SCORE Estimator.
- The S2SCORE Estimator is an easy, and no-cost introduction to all that S2SCORE is and can be used for.
The result of the questionnaire process is a S2SCORE. The score is objective and automatic, and if the third parties are providing accurate and truthful information, the S2SCORE will be a true measurement of information security risk. There are times when you don’t believe that the information provided by the third party is accurate and true. These are times when you might want validation. There are also times when a third party is so critical to the success of your organization that you may want validation too. Regardless of the reason for validation, you are in control.
Now that the third parties have been assessed for residual risk, we move on to Phase 4 of VRM– Risk Treatment.
*Vulnerability scanning data, crime rate index, and natural threat data is not employed in the High Residual Risk Questionnaire but is used in the full S2SCORE and validated S2SCORE.