- November 18, 2022: Additional trust score category.
Objective measurement is important for monitoring third-party security performance across the organization. A consistent and easy to understand scoring system will improve decision-making, enhance visibility, and demonstrate the value of the program.
If you do not see the Settings icon, it means you do not have the right access level.
To configure or modify the existing configuration of your Impact and Trust scores, select the Settings icon on the left navigation bar and go to the Scoring tab.
ThirdPartyTrust introduces these scores for you to include in you vendor assessment:
Trust Score
The Trust Score is a measure of the trustworthiness of a vendor based on security attribute best associated with a security posture. This score is on a 0-100 scale.
You may configure your Trust Score based on your business processes, or your third party risk management program:
- Assign weights to the different Trust score factors.
- If you do not want to include any factor, simply assign 0% weight to it.
- Additional information from 3PT data providers could be added when calculating the trust score based on purchased licenses and integrations.
- Trust score factors must add up to 100%.
To determine your Trust Score, the platform provides the following default categories:
| Category | Recommendations |
|---|---|
| External Audits / assessment | Score this category according to the impact these documents have over your company. Evaluate documentation such as pentest, general external audit or application scan completed, in addition to dates and scores. |
| Certifications | Similar to External Audits / assessment, score this category according to the impact these documents have over your company. Evaluate what certifications you have, when they were achieved and overall results. |
| Full Time CISO | Evaluate based on the weight and importance of your third party having a full time CISO has for you. |
| Insurances | Score this category according to how important it is for your evaluation that your third party has a cyber security insurance policy. |
| Questionnaires | Evaluate based on questionnaires’ (added to your profile) score. |
| Bitsight | Weight this category based on the security posture of any vendor with Bitsight. |
An extra category that can be used only if you have RiskRecon paid licenses and a valid API key inside Settings ➔ Integrations:
| Category | Recommendations |
|---|---|
| RiskRecon | Weight this category based on the security posture of any vendor with RiskRecon. |
The platform allows you to modify this score, in addition to the category scoring, according to the following:
- Determine automatic adjustment to the scores based on Findings. This adjustment determines how the Trust Score will be affected for each finding’s level of criticality assigned to a vendor.
- However, manual adjustments are also available if required.
Impact Score
The Impact Score is based on much impact your vendor relation has to your company. It evaluates how your organization interacts with the vendor, regardless of their security posture, in order to determine how much risk/impact this vendor poses to your organization, omitting any controls.
Configure your Impact Score based on your business processes, or your third party risk management program:
- If you do not want to include any of the out-of-the-box categories, simply assign 0% weight to it.
- To add new custom categories, select +Add, enter the category name, its definition, and then select Submit.
- Impact score categories must add up to 100%.
- You may assess each vendor on these criteria using:
- 3 step selector (Low, Medium, High)
- 5 step selector (Very Low, Low, Medium, High, Very High)
- 0-100%
To determine your impact Score, the platform provides the following default categories:
| Category | Recommendations |
|---|---|
| Ease of Replacement | Evaluate how easy you could replace this third party product or service with others. |
| Legal and Regulatory Requirements | Analyze the applicable legal and regulatory requirements of your company information that will be shared with the third party being evaluated. |
| Criticality of Service | Rate how critical the service or product, provided by this third party is to your company. |
| Type of Information | Rate based on the type of information (from your company) this third party will possess or have access to, and the importance of it. |
| Volume of Information | Score this criteria based on the volume of sensitive company information the third party will possess or have access to. |
| Size of Commitment | Analyze in terms of the size of your company's commitments, considering overall cost, agreement, and number of users. |
Risk Score
- Impact Score + Trust Score = Risk Score
- The Risk Score is instrumental in understanding the total risk of a vendor.
- It gives an overall risk measure of a vendor which is obtained by adding the Trust and Impact Score.
Possible combinations:
| Combination | Description |
|---|---|
| Low Impact + Low Trust |
Low to Medium Risk A vendor is a low business risk to the organization and doesn’t supply enough evidence to support that they have a strong security posture. It’s a low risk vendor. |
| High Impact + Low Trust |
High Risk A vendor is a high business risk to the organization but doesn’t supply enough evidence to support that they have a strong security posture. They are considered high risk. |
| High Impact + High Trust |
Low to Medium Risk A vendor is a high business risk to the organization and supplies abundant evidence to support that they have a strong security posture. They are still a risk but there’s enough confidence they have a security focus. |