Assessment Setup: Scoring Ingrid ⇤ Assessment Setup Set up the Trust Score, which is a measure of the trustworthiness of a vendor based on security attributes best associated with good security posture, and Impact Score weights. The weights must add up to 100%. Trust Score Weights The Trust Score is a measure of the trustworthiness of a vendor based on security attributes best associated with good security posture. Recommendation: Score the categories weights according to the impact these documents have over your company. Factor Description Bitsight Rating Weight this category based on the security posture of any vendor with Bitsight. Certifications Evaluate your certifications, when they were achieved, and overall results. Insurances Evaluate that your vendor has a cybersecurity insurance policy. External Audits/Assessments Evaluate documentation (such as pentest, general external audit, or application scan completed) in addition to dates and scores. Questionnaires Evaluate on a questionnaires' scores. Full Time CISO Present Evaluate based on the weight and importance that your vendor has a full time CISO for you. Impact Score Weights Select +Add Custom Category to enter a custom category. Factor Description Criticality of Service Set your tolerance if there’s a loss of critical services. Services for hosting critical systems or those that are essential to your business should be rated higher. Ease of Replacement Rate the ease of transition in replacing services. If there are few providers in the marketplace and transition is difficult, the provider’s risk rating should be rated higher. Legal and Regulatory Requirements Determine if the company information shared with the third party service provider is subject to legal and regulatory requirements. The more extensive the requirements are, the higher its risk rating should be. Example requirements: PCI Data Security Standard (DSS) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Fair and Accurate Transactions Act (FACTA) Local, federal, and international breach notification laws Local, federal, and internal privacy laws Size of Commitment Determine the size of your company’s commitments to the third party in terms of overall cost, term of the agreement, and number of company users. Contracts that are costly, lengthy, and impact large numbers of company users are inherently riskier than contracts that involve relatively lower costs, have shorter terms, and impact fewer company users. Type of Information Determine the types of company information that the third party service provider can possess or have access to. If the third party service provider possesses or has access to regulated or sensitive company information, they should be rated higher than one that does not. Company information examples: Personally identifiable information (PII) Nonpublic financial information Credit/debit cardholder information Protected health information Intellectual property (e.g., trade secrets) Volume of Information Determine how much sensitive company information the third party can possess or have access to. The greater the volume of sensitive records the third party service provider possesses or has access to, the higher their risk rating should be. January 10, 2024: Published. Related articles What is a Bitsight Security Rating? Assessment Setup: Requirements Finding Behavior Delegated Security Controls Overview Botnet Infections Risk Vector Feedback 0 comments Please sign in to leave a comment.