Risk Remediation Forecast Jessica The Risk Remediation Forecast [ Action Plans ➔ Risk Remediation] generates a forecast based on your inputs and the data in your Risk Remediation Plans (RRPs). It uses a remediation due date and target risk vector grades to:Identify the findings you must remediate in order to reach the target risk vector grade by the specified due date.Simulate changes in your grade based on findings remediation.Base Plan vs. Custom Plans in ForecastForecasts can be generated from either the Bitsight Base Plan or a Custom Plan.When the Base Plan is selected, the forecast reflects Bitsight’s most efficient path to an A gradeWhen a Custom Plan is selected, the forecast is generated based only on the findings and assumptions in that custom plan.This means:Excluded findings in a Custom Plan will not be included in the forecastForecast outcomes may differ from the Base Plan depending on your selected constraintsYou can model realistic remediation scenarios while still comparing results against the Base Plan for reference.How is this forecast different from Forecasting? How is it the same?This forecast uses specific findings to calculate what the headline rating will be in the future, whereas the forecasts on the Forecasting page uses a projection based on average findings values. The Patching Cadence risk vector in forecasting does use real findings values because of the complexity of the risk vector.RRPs and the Risk Remediation Forecast are available with some SPM packages for My Companies and MySubsidiary subscriptions.Calculation AssumptionsThe forecast assumes that findings will be fixed in priority order as listed in the plan at a linear rate until the remediation due date.The forecast assumes that findings will cease impacting the risk vector grade when they complete their lifetimes.The forecast assumes FAIR and GOOD findings will remain consistent, and does not account for a change in the risk vector grade when they complete their lifetimes.The forecast does not assume that there will be new findings for Diligence risk vectors, but assumes there will be a consistent rate of new findings for Compromised Systems risk vectors.Running a Risk Remediation ForecastSelect Run Forecast.Set a Due Date.Use the toggles to select RRPs to include in the forecast.To automatically set the goal grade to an A for all risk vectors for which you have an RRP generated or for which you have findings, select Select All Plans.Set target risk vector grades using the sliders.The target grade for Patching Cadence is automatically set to an A. Patching Cadence grades worsen over time if left unremediated. We can only estimate a grade-based outcome if all findings are resolved.Select Run Forecast.Risk Remediation forecasts are not shared between users. Only the user who generated the forecast will see it.You can run a forecast off of an RRP for up to 14 days. Forecasts that are run off of old RRPs do not include new findings and may continue to include findings that have completed their lifetimes.Reading the Risk Remediation Forecast ChartThere are five sections at the top of the Risk Remediation Forecast chart.SectionDescriptionForecast TimelineThe date range of the forecast. Forecasts show two years of data: one real year, and one simulated year.Forecast Due DateThe due date specified during setup.User Defined ForecastThe simulated rating improvement based on the due date and target risk vector grades.Risk Vectors IncludedThe number of risk vectors selected during setup. Hover over this number to see a list of included risk vectors.Total Findings IncludedThe total number of findings included in your forecast. Select the number in this section to open these findings in the Findings page.The main body of the chart displays your forecast. Hover and move your cursor over the chart to view historical and simulated ratings on particular dates. The chart contains the following ranges of your forecasted security rating:FieldDescriptionRatingThe current security rating trend line. Represented by a thick black line.User Defined ForecastThe User Defined Forecast is a projection of how the security rating can change over time with an acceptable level of reliability, illustrating the potential variability in future security ratings. It is depicted with a dark blue and light blue band:The inner dark blue band depicts between the 25th and 75th percentiles, representing a 50% probability.The outer light blue band represents between the 5th and 95th percentiles, extending the certainty to encompass a total of 90%. Related articles Action Plans: Risk Remediation Action Plans: Forecasting Finding Behavior Risk Remediation Forecast – October 29, 2024 Attack Surface: Cloud Infrastructure Sync Feedback 0 comments Please sign in to leave a comment.