- November 12, 2021: Moved directory.
- August 6, 2020: Added the “Effectively Manage Third Party Risk Programs” Bitsight Academy course.
Empowering businesses with the insight needed to proactively quantify and mitigate third party risk. With daily security ratings, we provide the insight an organization needs to proactively and continuously manage third parties.
Bitsight Security Ratings for Third Party Risk Management (TPRM) enables organizations to identify, quantify and mitigate the risk inherent in sharing sensitive data with vendors and business partners. This automated service analyzes, rates, and monitors the security performance of third parties, all from outside the company.
Tools
With new threats emerging daily, managing third parties is becoming increasingly critical to protecting your assets. Understanding the associated risk with your vendors on an ongoing basis can be challenging and expensive. Questionnaire-based assessments are important but insufficient, as they are static and subjective. Point-in-time penetration tests are costly and do not reflect on-going risk.
The following automated tools are provided so you can proactively mitigate risk by allowing you to continuously measure and monitor the security performance of your vendors:
| Tool | Description |
|---|---|
| Portfolio Risk Matrix | Quickly identify high concentrations of risk based on tier (criticality to your organization) and security risk (based on security rating), to prioritize action accordingly. |
| Action Plan | |
| Enable Access Program Reporting | Invite vendors or monitored companies to collaborate via the Enable Access Program. This provides temporary use of the Bitsight Security Ratings Platform to view their own security rating and supporting data. |
Prioritizing Actions
The Portfolio Risk Matrix and Action Plan panels are comprised of 3 levels of recommended actions. They are driven by the level of criticality for a group of third parties (indicated by tier) and by their current security risk posture (based on Security Rating). These categories can be used to prioritize and focus mitigation of third party risk:
- Monitor: No immediate action is needed. Companies in this category have good security posture and can be continuously monitored and evaluated more thoroughly depending on available resources.
- Review: Investigating the security posture of your third parties in this category is recommended, to gain a deeper understanding of their developments and help determine if any action or follow up is necessary. Companies in this category are starting to either fall behind in addressing security issues or they are still in the process of implementing plans for issue response and remediation.
- Escalate: Enabling access to the Bitsight Security Ratings Platform is recommended for your third parties in this category to prompt the investigation and remediation of issues that have been identified. Collaborate via the Enable Access Program.
Getting Started with Alerts
Align alert setting with TPRM specifications to grow your TPRM program towards a risk-based, automated, and performance-driven solution.
Alerts are configured for tiers and folders. Each of the alert categories help your organization better monitor the security performance of portfolio companies.
Example: You may want to have tighter alerting for companies in your 1 - 3 tiers, and then less frequent alerts for tiers 4 and 5.
Learn more about alerts or how to enable or edit alerts.