Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Risk Assessment Summary Report

Ingrid

The Risk Assessment Summary report (.pdf) [menu-vendor-profile.png Vendor Profile ➔ reports.png Reports ➔ Risk Assessment Summary] provides a holistic view of vendor security and risk posture. It integrates multiple layers of data to present a holistic view of the vendor’s security performance, including:

  • Risk assessment scores
  • Bitsight security rating and incidents
  • Security requirements and documentation
  • Findings and internal notes

Use this report to make informed decisions, strengthen vendor relationships, and proactively mitigate risks.

Available in the Vendor Risk Management application for Admin, Operations, and View Only roles.

Learn more about the sections in the report and their key details:

Overview

The Overview section provides foundational information about the vendor, serving as the first step in understanding their role, relationship, and basic attributes.

  • Connection Date: Indicates when the vendor accepted the connection request, as a timeline of engagement.
  • Description: As the internal description that outlines the vendor's services or products.
  • Life Cycle State: As the current stage of your vendor within the TPRM process.
  • Tags: Tags are used to categorize and group vendors for streamlined analysis (e.g.criticality, industry).
  • Vendor Details: Includes the vendor’s logo, name, or nickname for easy identification.

Risk Assessment Scores

As a core component of the report, the risk assessment score provides an objective measurement of the vendor's risk profile as a consistent scoring system to monitor their security performance.

Bitsight Security Rating and Security Incidents

The Bitsight Security Ratings and Security Incidents section provides deeper insights into a vendor’s historical and current security performance, complemented with the likelihood of security incidents and ransomware.

  • Security Ratings: Displays the vendor’s security performance both from last year and as of today, offering a clear view of their progress and current standing.
  • Risk of Ransomware: Indicates the likelihood of the vendor becoming a victim of ransomware.
  • Risk of Security Incident: Indicates the likelihood of the vendor experiencing a data breach.

Security Requirements - Questionnaires

The Security Requirements - Questionnaires section summarizes vendor responses to assigned security questionnaires and provides an overview of compliance with standards.

  • Bitsight Risk Vectors: Risk vectors graded C or below, correlated to the relevant control area.
  • Control Area: The control area, as listed within the questionnaire and respective score.
  • Findings: A breakdown by criticality for each control area.
  • Legend: Provides definitions of scores, findings, and risk grades to ensure clarity.
  • Questionnaire Summaries: A summary of the questionnaire along with its name and the overall score.
  • Risk Vectors: Highlights key areas of concern (e.g., grades of C or below).

Security Requirements - Insurance, Certificates and Assessment Policies

Centralizes all supporting documents requested to the vendor, including certifications, insurances, and audits, to assess their compliance.

  • Audits: Details auditing bodies, completion dates, and related findings.
  • Certifications: Shows achievement dates, expiration dates, and related findings.
  • Insurances: Lists provider, expiration date, and any related findings.

Findings

The Findings section has a comprehensive list of vendor findings, sorted by criticality, with descriptions and status to track the progress of remediation, ensuring transparency and accountability.

  • Criticality: Findings are classified using a color-coded scale.
  • Descriptions: A clear, concise summary of each finding.
  • Reported Dates: Tracks the timeline of identified issues.

Internal Notes

Captures vendor-specific notes and observations for internal use, providing deeper insights for stakeholders.

  • Audit Information: Highlights any associated audits tied to the note.
  • Most Recent First: Notes are sorted in descending order by date for easy reference.
  • Purpose: Enables internal teams to retain important context for future assessments and decision-making.
  • March 24, 2025: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.