Vendor security ratings cannot be adjusted without modifying the criteria for evaluating a vendor’s security posture.
Since the ability to make unmitigated adjustments violates the objectivity of security posture measurements, this functionality usually isn’t possible on security rating solutions. However, a workaround is to prevent certain discovered risks from influencing the calculation of a vendor’s security ratings.
While this functionality isn’t available on all security ratings solutions, it's one of the many features offered on the UpGuard platform.
UpGuard allows risk management teams to waive third-party security risks in two primary ways.
1. Waiving Risks from a Vendor’s Risk Profile
On the UpGuard platform, a risk profile summarizes all the security risks associated with a particular vendor. Any risk can be disregarded by simply clicking the “Waive this Risk” button.
Learn how UpGuard calcualtes security ratings >
Won’t this impact the objectivity of security posture measurements?
To support objective and fair security posture calculations for each vendor, each risk waiver request needs to be approved before it's actioned. If the user doesn’t have the authority to approve a waiver, the request will be forwarded to those that do.
Users submitting a request also need to provide a reason for the waiver.
2. Waiving Risks from Security Questionnaires
UpGuard automatically lists a vendor’s security risks based on their questionnaire responses. Expanding the details of a particular risk will reveal an option to waive it, preventing it from influencing that vendor’s security rating.
Once a waiver request is submitted, the user will be prompted to provide a reason to ensure all risk management team members and stakeholders are aware of the adjustment.
Does Waiving Cyber Risks Support False Risk Fixes?
No, when used in a platform with an objective and unbiased approach to risk remediation, such as UpGuard, waiving risk does not support fales risk fixes.
Besides the benefit of producing higher definition vendor risk profiles, increased cyber risk detection sensitivity means security teams might be presented with threats outside of their risk profile. This is where a feature like risk waiving becomes invaluable. Risk waivers allow security teams to instantly disregard detected threats that are not actually security risks - such as when compensating controls are in place. This feature has been specifically developed to streamline risk assessment workflow, not falsify fixes - a function that isn't even possible with UpGuard's risk-waiving feature.
See the UpGuard Risk Waiver feature in action >
Adjusting Vendor Security Ratings with Additional Risk Evidence
Vendor security ratings can also be adjusted by providing additional risk evidence to security rating solutions. This practice is encouraged since it increases the dimension of analysis of attack surface management, which increases the accuracy of this effort.
On the UpGuard platform, additional evidence can easily be added to the risks influencing a vendor’s security rating by clicking the “Additional Evidence” tab in their profile.
Under the additional evidence category, links to each vendor's publicly available security information can also be stored to simply vendor risk assessment efforts and provide greater context for all factors influencing a vendor's security ratings.
If you’re new to the cybersecurity discipline of attack surface management, the following video will bring you up to speed.
Why Would You Want to Waive Vendor Security Risks?
There are many reasons why this functionality might be helpful in your Vendor Risk Management program. These could include:
- Duplicate risk discoveries - Duplicate or related security risks could have an excessively negative impact on a vendor’s security posture. This could result in a vendor receiving greater remediation attention, diverting the focus away from those posing real data breach risks.
- Superfluous risk discoveries - Sometimes, discovered vendor-related security risks fall outside of your defined risk appetite and, therefore, can safely be accepted.
Note: All decisions to waive vendor security risks should be conducted through a Vendor Risk Management framework trusted by information security professionals and supportive of regulatory compliance. This will remove all bias from risk waiver decisions, ensuring vendor risk ratings are always adjusted toward greater accuracy.
For an overview of the risk assessment component of such a framework, see the video below.
