- Plans are re-run daily. The risk vectors in the plan are reprioritized or dropped from the analysis when findings are remediated, decay, or complete their lifetimes.
- Plans use aggregate subsidiary data instead of specific findings. This means that score increases are precise estimates, rather than exact improvements.
- Plans do not account for lifetimes. The rating improves sooner with risk vectors that have a shorter lifetime than those with a longer lifetime.
- Subsidiary Improvement generates an ideal improvement plan, but there may actually be ties or equally ideal plans that aren't shown. This may account for changes in the plan over time, when one version of the plan becomes better than another.
- The Security Incidents risk vector cannot be remediated. If the parent company is impacted by this risk vector, the projected security rating at the end of the plan may be less than 800.
Interpreting the Plan
- Since the impact of a subsidiary’s Patching Cadence findings on the parent cannot always be measured, the rating improvement from the fixes made across all subsidiaries is projected at the parent level.
- The plan is divided into steps. Each step represents a different risk vector at one of your subsidiaries. The size of each step shows how much it affects the parent's overall security rating.
- The plan shows the most important fixes first. This means that fixing the issues listed earlier have a bigger impact than fixing those listed later.
- The light gray band indicates what the parent company's rating could be if the findings from the previous steps are remediated.
- The blue and dark gray bands indicate the impact on the parent rating if the findings are resolved during a step.
- Sometimes, a step might include multiple subsidiaries. These subsidiary findings are grouped together so that they have a visible impact (at least 10 points) on the parent rating.
Prioritizing Risk Vectors
To prioritize findings within a risk vector, use Risk Remediation or leverage general remediation strategy.
Completing a Step
To complete a step, you must remediate all findings associated with the indicated risk vector at the subsidiary. Completing steps out-of-order may not yield the same impact on the parent. Some steps rely on the preceding step to garner the level of impact shown in the plan.
- November 11, 2024: How Patching Cadence is interpreted in the plan.
- October 23, 2024: Linked to lifetime definition.
- April 11, 2024: Broken out from the Enterprise Analytics article.
Feedback
0 comments
Please sign in to leave a comment.