As mentioned in Phase 2 – Classification, High and Medium impact third parties need to be assessed for residual risk. Residual risk is another term that isn’t common to all people, so we’ll define it. Residual risk is the amount of risk that remains (residual) after the consideration of controls that are in place and any applicable threats. Residual risk assessments attempt to validate, qualify, and/or quantify risk related to threats and vulnerabilities, using inherent risk as a base input.
The first place to check for residual risk is an assessment that the third party may have already completed; an assessment that is high quality, fits our definitions of “information security” and “risk,” and represents risk. For SecurityStudio, this is the FISASCORE®. The logic is simple: Does the third-party have a current FISASCORE or not?
Current Acceptable FISASCORE
If the third party has a current FISASCORE, then Phase 3 – Risk Assessment is complete for now, and the score is evaluated as part of Phase 4 – Risk Treatment. A threshold for FISASCORE must be set by the organization, and an automated comparison is made.
FISASCORE is calculated on a scale between 300 – 850, with 300 representing an infinite amount of risk and 850 representing no risk at all. Obviously, it’s not possible to have infinite risk or no risk, so all FISASCOREs fall between the range. Organizations that have not defined a specific threshold will typically accept a default FISASCORE of 660.
If the FISASCORE is acceptable, meaning it meets or exceeds your threshold, then the process is complete for you and the third party. That’s it!
If the FISASCORE is not acceptable, meaning it does not meet your threshold, then the process remains in Phase 3 – Assessment for next steps. An unacceptable FISASCORE follows the same process as not having a FISASCORE at all.
No Current Acceptable FISASCORE
Third parties that do not have a current FISASCORE and third parties that do not have an acceptable FISASCORE will receive a questionnaire that is commensurate with the level of inherent risk they pose to the organization. Third parties that are classified as High receive the High Residual Risk Questionnaire, and third parties that are classified as Medium receive the Medium Residual Risk Questionnaire.
All notifications to third parties are managed by SecurityStudio so that administrators don’t need to track and manage follow-up tasks.
All questionnaires are completed via an authenticated and secure online portal provided to the third-party provider.
High Residual Risk Questionnaire
By default, the High Residual Risk Questionnaire leverages simliar criteria* used in calculating the FISASCORE. This is important for (at least) five reasons:
- Validation of the questionnaire will result in a genuine FISASCORE that can be reused in other applications.
- The common set of criteria allows for better comparisons and consistent baselining across all third parties.
- Deliverables from the FISASCORE can be used to build the third-party security program and/or identify the greatest areas of concern accompanied by actionable recommendations. The FISASCORE provides value to the third party in this way.
- For the most impactful third parties, a FISASCORE can be validated by personnel who are certified by SecurityStudio® to complete validations. This ensures consistency across organizations who use SecurityStudio and FISASCORE.
- Validation of the FISASCORE can be done using in-house personnel, through SecurityStudio, or through any of the SecurityStudio partners. Today there are more than a dozen SecurityStudio partner organizations who are certified to perform validations.
Medium Residual Risk Questionnaire
By default, the Medium Residual Risk Questionnaire leverages the same criteria used in the calculation of the FISASCORE Estimator. The FISASCORE Estimator is a freely available assessment provided to anyone online and is also built into SecurityStudio. The important reasons why we’ve chosen to use the same criteria include some of the following:
- Any organization, with or without the use of VENDFENSE can get a score that can be leveraged without cost to the third party and be reused for third-party information security risk management if the inherent risk calculation results in a Medium classification.
- Ensures consistency within SecurityStudio and all other uses of the FISASCORE Estimator.
- The FISASCORE Estimator is an easy, and no-cost introduction to all that FISASCORE is and can be used for.
The result of the questionnaire process is a FISASCORE. The score is objective and automatic, and if the third parties are providing accurate and truthful information, the FISASCORE will be a true measurement of information security risk. There are times when you don’t believe that the information provided by the third party is accurate and true. These are times when you might want validation. There are also times when a third party is so critical to the success of your organization that you may want validation too. Regardless of the reason for validation, you are in control.
Now that the third parties have been assessed for residual risk, we move on to Phase 4 of VRM– Risk Treatment.
*Vulnerability scanning data, crime rate index, and natural threat data is not employed in the High Residual Risk Questionnaire but is used in the full FISASCORE and validated FISASCORE.