Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Action Plans: Risk Remediation

Jessica

Use the Risk Remediation page in the Security Performance Management application [ Action Plans ➔ Risk Remediation] to manage risk remediation plans (RRPs) and generate a Risk Remediation forecast. RRPs list and prioritize findings that can be fixed to improve certain risk vector grades. Plans are designed to identify and remediate high-impact findings with the goal of reaching an A grade.

A Risk Remediation forecast generates a forecast based on your inputs and the data in your Risk Remediation Plans.

Risk Remediation is available with some SPM packages for My Companies and MySubsidiary subscriptions.

RRPs are available for the following risk vectors:

  • Patching Cadence
  • TLS/SSL Certificates
  • TLS/SSL Configurations
  • Web Application Headers
  • Desktop Software
  • Mobile Software

This article covers RRP calculation, capabilities, and interpretation. To learn more, refer to the following articles:

How It Works: Calculation and Capabilities

RRPs are point-in-time, so outside factors like new findings, infrastructure changes, and changes in our inventory of companies can shift the outcome of the report.

Patching Cadence Risk Vector

This RRP projects your future risk vector grade based on different remediation scenarios, prioritizing the most severe findings to prevent your grade from deteriorating.

All Other Risk Vectors

These RRPs show the most efficient path to improve a risk vector grade to an A based on grade-impacting findings at the time of calculation. RRPs are point-in-time, so outside factors like new findings, infrastructure changes, and changes in our inventory of companies can shift the outcome of the report.

RRPs are calculated with the assumption that fixed findings become or are replaced by Good findings. Good findings have the highest impact on your risk vector grades. There are many valid ways to remediate, mitigate, or improve findings, but not all result in a Good finding.

In addition to findings that need to be fixed, RRPs contain findings that need to be maintained. When a plan is calculated, the weight of finding grades that need to be maintained plus the anticipated weight of findings you fix along the way is enough to improve your grade to an A.

Remediating findings in the Maintain for an A group helps pad your ratio of positive to negative findings and can potentially protect your A grade from dropping as new findings occur.

An RRP calculates the most efficient remediation path to an A–no more, no less. It does not take into account what happens if you don’t follow the plan. If you skip or ignore a finding that the plan has identified as part of your path, it remains on your RRP. Remediated findings remain on your RRP until they've completed their lifetime.

Reading a Plan

The RRP supports multiple risk vectors. The data in each plan is laid out differently, but the overall structure remains the same: findings are listed from most to least impactful and separated into groups.

Patching Cadence Risk Vector

The Patching Cadence RRP is generated as a PDF. Instead of recommending one course of action, this PDF examines different remediation scenarios and projects your risk vector grade depending on the number, severity, and duration of vulnerabilities remediated. This RRP considers a subset of unremediated findings to be fixed to calculate the projected grade; due to the nature of this risk vector, remediated findings continue to impact your grade over time.

All Other Risk Vectors

Groups contain the findings that need to be fixed to improve your letter grade from the current grade to the next in sequence. This improvement is usually from one grade to the next, such as C → B, but in rare cases you may see skip-level groups such as C → A.

Findings in each group are ordered from most to least impactful. In cases where findings have the same weight, they are listed alphabetically. Findings don’t have to be fixed in order, but all findings in a group must be fixed to improve the grade as seen in the RRP.

Finding Details

The RRP includes information to help you remediate findings. Select an individual finding from the RRP to open a details sheet like the one on the Findings Page. To open a group of findings in the Findings Page, select View in Findings. In the Patching Cadence RRP, select a group of findings in the Findings column to open them in the Findings page.

Most RRPs can be scheduled. If your plan is older, findings in it may no longer exist or may not impact your grade. Scheduling your plan keeps it up to date and prevents you from working with old information. The Patching Cadence RRP cannot be scheduled.

Downloading a Plan

Downloading plans allows you to track your progress over time using comparative reporting. We recommend scheduling and downloading plans weekly or monthly for this purpose.

Active Plan

Select Download CSV in the top right of the plan page.

Historical Plan

Select See Historical Plans, then select Download CSV next to the historical plan you wish to download.

  • October 29, 2024: Reordered plan types to match the platform. Linked to the new Risk Remediation Forecast article.
  • October 23, 2024: Added navigation instructions.
  • March 25, 2024: “No findings/low findings” changed to “insufficient data.”

Related articles

Feedback

0 comments

Please sign in to leave a comment.