The Subsidiary Improvement page presents an improvement plan for a parent company based on risk vector grades at its subsidiaries. It projects how much a parent company’s rating could improve if all findings from the indicated risk vectors at a given subsidiary were remediated.
Interpreting the Plan
The Subsidiary Improvement page presents a multi-step improvement plan that raises your parent company rating by improving risk vector grades at your subsidiaries. It can help you decide which issues to fix first at which subsidiaries.
The plan is divided into steps. Each step represents a different risk vector at one of your subsidiaries. The size of each step shows how much it affects the parent's overall security rating.
To complete a step, you must remediate all findings associated with the indicated risk vector at the subsidiary. To prioritize findings within a risk vector, use the Risk Remediation plan or leverage general remediation strategy.
Completing steps out-of-order may not yield the same impact on the parent. Some steps rely on the preceding step to garner the level of impact shown in the plan.
The plan shows the most important fixes first. This means that fixing the issues listed earlier will have a bigger impact than fixing those listed later.
- The light gray band indicates what the rating of the parent company will be if the findings from the previous steps are remediated.
- The blue and dark gray bands indicate the impact on the parent rating if the findings are resolved during a step.
Sometimes, a step may include multiple subsidiaries. These subsidiary findings are grouped together so that they have a visible impact (at least 10 points) on the parent rating.
Notes
- The plan is re-run daily. As findings are remediated, decay, or complete their lifetimes, the risk vectors in the plan will move around or drop from the analysis.
- The plan uses aggregate subsidiary data instead of specific findings. This means that score increases are very close estimates rather than exact improvements.
- The plan does not account for lifetimes. Risk vectors with a shorter lifetime will see their rating improve sooner than risk vectors with a longer lifetime.
- The Security Incidents risk vector cannot be remediated. If the parent company is impacted by this risk vector, the projected security rating at the end of the Subsidiary improvement plan may be less than 800.
- Subsidiary Improvement generates an ideal improvement plan, but there may actually be “ties” or equally ideal plans that aren't shown. This may account for changes in the plan over time, when one version of the plan becomes better than another.
Feedback
0 comments
Please sign in to leave a comment.