Set up the Trust Score, which is a measure of the trustworthiness of a vendor based on security attributes best associated with good security posture, and Impact Score weights.
The weights must add up to 100%.
Trust Score Weights
The Trust Score is a measure of the trustworthiness of a vendor based on security attributes best associated with good security posture.
Recommendation: Score the categories weights according to the impact these documents have over your company.
Factor | Description |
---|---|
Bitsight Rating | Weight this category based on the security posture of any vendor with Bitsight. |
Certifications | Evaluate your certifications, when they were achieved, and overall results. |
Insurances | Evaluate that your vendor has a cybersecurity insurance policy. |
External Audits/Assessments | Evaluate documentation (such as pentest, general external audit, or application scan completed) in addition to dates and scores. |
Questionnaires | Evaluate on a questionnaires' scores. |
Full Time CISO Present | Evaluate based on the weight and importance that your vendor has a full time CISO for you. |
Impact Score Weights
Select +Add Custom Category to enter a custom category.
Factor | Description |
---|---|
Criticality of Service |
Set your tolerance if there’s a loss of critical services. Services for hosting critical systems or those that are essential to your business should be rated higher. |
Ease of Replacement |
Rate the ease of transition in replacing services. If there are few providers in the marketplace and transition is difficult, the provider’s risk rating should be rated higher. |
Legal and Regulatory Requirements |
Determine if the company information shared with the third party service provider is subject to legal and regulatory requirements. The more extensive the requirements are, the higher its risk rating should be. Example requirements:
|
Size of Commitment |
Determine the size of your company’s commitments to the third party in terms of overall cost, term of the agreement, and number of company users. Contracts that are costly, lengthy, and impact large numbers of company users are inherently riskier than contracts that involve relatively lower costs, have shorter terms, and impact fewer company users. |
Type of Information |
Determine the types of company information that the third party service provider can possess or have access to. If the third party service provider possesses or has access to regulated or sensitive company information, they should be rated higher than one that does not. Company information examples:
|
Volume of Information |
Determine how much sensitive company information the third party can possess or have access to. The greater the volume of sensitive records the third party service provider possesses or has access to, the higher their risk rating should be. |
- January 10, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.