RRPs are available with some SPM packages for My Companies and MySubsidiary subscriptions.
A risk remediation plan (RRP) is a prioritized list of findings you can fix to improve certain risk vector grades. This plan is designed to help you identify and remediate high-impact findings to reach an A grade.
RRPs analyze findings for the following risk vectors:
- Patching Cadence
- Web Application Headers
- SSL Certificates
- SSL Configurations
- Desktop Software
- Mobile Software
This article covers plan calculation, capabilities, and interpretation. To learn more, refer to the following articles:
- Running a Risk Remediation Plan
- Scheduling a Risk Remediation Plan
- Risk Remediation Plan Details by Risk Vector
How It Works: Calculation and Capabilities
RRPs are point-in-time, so outside factors like new findings, infrastructure changes, and changes in our inventory of companies can shift the outcome of the report.
Patching Cadence Risk Vector
This RRP projects your future risk vector grade based on different remediation scenarios, prioritizing the most severe findings to prevent your grade from deteriorating.
Risk vector grades for Patching Cadence are based on how long, on average, known vulnerabilities existed in an organization unpatched. This average time-to-remediate is weighted according to the severity of the vulnerability, so more severe vulnerabilities have a greater impact on the risk vector grade. Both remediated and unremediated findings impact the grade, but only the unremediated findings can be affected by a company’s actions.
Because Patching Cadence represents an average, a quickly-patched finding has a positive impact on the letter grade, while a finding that takes longer-than-average to patch has a negative impact. As long as a finding remains unremediated, its duration continues to increase and its impact on the risk vector grade becomes increasingly negative.
Companies with no ratings-impacting Patching Cadence findings receive an A grade and are not able to run an RRP.
All Other Risk Vectors
These RRPs show the most efficient path to improve a risk vector grade to an A based on grade-impacting findings at the time of calculation. RRPs are point-in-time, so outside factors like new findings, infrastructure changes, and changes in our inventory of companies can shift the outcome of the report.
RRPs are calculated with the assumption that fixed findings become or are replaced by Good findings. Good findings have the highest impact on your risk vector grades. There are many valid ways to remediate, mitigate, or improve findings, but not all result in a Good finding.
Risk vector grades for Web Application Headers, TLS/SSL Certificates, and TLS/SSL Configurations are based on the ratio of positive to negative findings at your company vs. the ratio at other rated companies. These risk vectors default to a C grade if there’s insufficient data or only Neutral findings; you must have some Good findings to achieve a B or A letter grade.
- Changing a Bad finding to Good decreases your Bad quantity and increases your Good quantity, improving your ratio and your risk vector grade.
- Changing a Bad finding to a Neutral reduces the number of Bad findings, but does not improve your letter grade.
- Good findings that stop impacting your rating and are not replaced ALSO decrease your Good quantity, negatively impacting your letter grade.
Risk vector grades for Desktop Software and Mobile Software are also based on a ratio of Good to Bad findings. However:
- Companies without enough findings relative to employee count in these risk vectors receive a letter grade of N/A.
- When calculating your rating, an N/A is equivalent to an A.
- Companies with an N/A grade have insufficient data to have enough findings to run an RRP.
In addition to findings that need to be fixed, RRPs contain findings that need to be maintained. When a plan is calculated, the weight of finding grades that need to be maintained plus the anticipated weight of findings you fix along the way is enough to improve your grade to an A.
Remediating findings in the Maintain for an A group helps pad your ratio of positive to negative findings and can potentially protect your A grade from dropping as new findings occur.
An RRP calculates the most efficient remediation path to an A–no more, no less. It does not take into account what happens if you don’t follow the plan. If you skip or ignore a finding that the plan has identified as part of your path, it remains on your RRP.
Reading a Plan
The RRP supports multiple risk vectors. The data in each plan is laid out differently, but the overall structure remains the same: findings are listed from most to least impactful and separated into groups.
Patching Cadence Risk Vector
The Patching Cadence RRP is generated as a PDF. Instead of recommending one course of action, this PDF examines different remediation scenarios and projects your risk vector grade depending on the number, severity, and duration of vulnerabilities remediated. This RRP considers a subset of unremediated findings to be fixed to calculate the projected grade; due to the nature of this risk vector, remediated findings continue to impact your grade over time.
All Other Risk Vectors
Groups contain the findings that need to be fixed to improve your letter grade from the current grade to the next in sequence. This improvement is usually from one grade to the next, such as C → B, but in rare cases you may see skip-level groups such as C → A.
Findings in each group are ordered from most to least impactful. In cases where findings have the same weight, they are listed alphabetically. Findings don’t have to be fixed in order, but all findings in a group must be fixed to improve the grade as seen in the RRP.
Finding Details
The RRP includes information to help you remediate findings. Select an individual finding from the RRP to open a details sheet like the one on the Findings Page. To open a group of findings in the Findings Page, select View in Findings. In the Patching Cadence RRP, select a group of findings in the Findings column to open them in the Findings page.
Most RRPs can be scheduled. If your plan is older, findings in it may no longer exist or may not impact your grade. Scheduling your plan keeps it up to date and prevents you from working with old information. The Patching Cadence RRP cannot be scheduled.
Downloading a Plan
Downloading plans allows you to track your progress over time using comparative reporting. We recommend scheduling and downloading plans weekly or monthly for this purpose.
Active Plan
Select Download CSV in the top right of the plan page.
Historical Plan
Select See Historical Plans, then select Download CSV next to the historical plan you wish to download.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- August 23, 2023: Updated to include the Patching Cadence risk vector.
- August 25, 2022: Updated to include the Desktop Software and Mobile Software risk vectors.
Feedback
0 comments
Please sign in to leave a comment.