⇤ Action Plans: Risk Remediation
- Identify the findings you must remediate in order to reach the target risk vector grade by the specified due date.
- Simulate changes in your grade based on findings remediation.
How is this forecast different from Forecasting? How is it the same?
This forecast uses specific findings to calculate what the headline rating will be in the future, whereas the forecasts on the Forecasting page uses a projection based on average findings values. The Patching Cadence risk vector in forecasting does use real findings values because of the complexity of the risk vector.
RRPs and the Risk Remediation Forecast are available with some SPM packages for My Companies and MySubsidiary subscriptions.
Calculation Assumptions
- The forecast assumes that findings will be fixed in priority order as listed in the plan at a linear rate until the remediation due date.
- The forecast assumes that findings will cease impacting the risk vector grade when they complete their lifetimes.
- The forecast assumes FAIR and GOOD findings will remain consistent, and does not account for a change in the risk vector grade when they complete their lifetimes.
- The forecast does not assume that there will be new findings for Diligence risk vectors, but assumes there will be a consistent rate of new findings for Compromised Systems risk vectors.
Running a Risk Remediation Forecast
- Select Run Forecast.
- Set a Due Date.
- Use the toggles to select RRPs to include in the forecast.
To automatically set the goal grade to an A for all risk vectors for which you have an RRP generated or for which you have findings, select Select All Plans.
- Set target risk vector grades using the sliders.
The target grade for Patching Cadence is automatically set to an A. Patching Cadence grades worsen over time if left unremediated. We can only estimate a grade-based outcome if all findings are resolved.
- Select Run Forecast.
Risk Remediation forecasts are not shared between users. Only the user who generated the forecast will see it.
You can run a forecast off of an RRP for up to 14 days. Forecasts that are run off of old RRPs do not include new findings and may continue to include findings that have completed their lifetimes.
Reading the Risk Remediation Forecast Chart
There are five sections at the top of the Risk Remediation Forecast chart.
Section | Description |
---|---|
Forecast Timeline | The date range of the forecast. Forecasts show two years of data: one real year, and one simulated year. |
Forecast Due Date | The due date specified during setup. |
User Defined Forecast | The simulated rating improvement based on the due date and target risk vector grades. |
Risk Vectors Included | The number of risk vectors selected during setup. Hover over this number to see a list of included risk vectors. |
Total Findings Included | The total number of findings included in your forecast. Select the number in this section to open these findings in the Findings page. |
The main body of the chart displays your forecast. Hover and move your cursor over the chart to view historical and simulated ratings on particular dates. The chart contains the following ranges of your forecasted security rating:
Field | Description |
---|---|
Rating | The current security rating trend line. Represented by a thick black line. |
User Defined Forecast | A projection of how your security rating might change based on your inputs.
|
Feedback
0 comments
Please sign in to leave a comment.