- What is the Portfolio Management Table?
- What if my portfolio is missing a third party?
- Do the “Data Access Requests” stats include document requests?
- Does “Available in Portfolio” include upstream shares?
- Can I add tags to my third parties?
- How is Inherent Risk determined?
- How can I track progress on requested data for an assessment?
- What do the different profiles in the “Available” column mean?
- What is the difference between the contact listed on the Portfolio Manager Table vs the recipient listed when requesting an assessment?
What is the Portfolio Management Table?
The Portfolio Management Table is your main dashboard to manage vendors, request data, view assessment status, and more. Once your vendors are ingested and impact questions answered, you can begin to see the big picture view of the high, medium, and low-risk third parties in your portfolio and decide which vendors you want to focus on first.
What if my portfolio is missing a third party?
You can click the “Add Company +” button to add a new company to your portfolio. For more details on how to add companies to build your portfolio, visit the “Build Portfolio Overview” article.
Do the “Data Access Requests” stats include document requests?
The “Data Access Requests” do not include document requests. Data Access Requests only display pending requests you have submitted for a company, whether that be access to an existing assessment or a request for an assessment to be completed.
Does “Available in Portfolio” include upstream shares?
Yes, the "Available in Portfolio" number includes attested assessments, validated assessments, and upstream shares.
Can I add tags to my third parties?
You can easily tag your third party by visiting their profile page and adding your tag in the Tag field located under the Customer Notepad. If you are looking to add tags en masse, you can work with your Customer Success Manager, who will work with our Advisory Services team to help you implement your tags.
How is Inherent Risk determined?
The Inherent Risk column provides the results from our inherent risk algorithm, which takes into account the risk a company poses based on their attack surface and outside in scanning combined with the analysis determined from answering eight simple questions through our Auto-Inherent Risk feature to evaluate your dependency on the third party to determine the impact a breach would have on your business. The algorithm provides a high, medium, or low-risk determination posed to you right now based on the third party. By understanding the existing risk, the results help your team prioritize which companies need additional attention.
How can I track progress on requested data for an assessment?
Once a request has been initiated, you can view the status in two places:
- If you requested data already on the CyberGRX Exchange and are awaiting authorization, view the “Access” column to see the status of the request. The column will read requested, approved, or denied.
- If you have used the “Request Data” button and submitted for an assessment, view the “Data” column to see the status of the request. The column will read “Not Started,” and if you hover over it, it will provide details of the type of assessment requested and the requested date. If the assessment is underway, the status will read “In Progress,” with the hover-over detailing the type of assessment requested, the requested date, and the percentage of the assessment completed. When the third party has completed the assessment, the status will read “Completed.”
What do the different profiles in the “Available” column mean?
The profiles in the Third Party Portfolio Management table are designed to give you a quick understanding of what is available to you so you can evaluate the third parties in your portfolio and begin taking the next steps. The different profiles increase the visibility of risk intelligence from one profile to the next. The profiles include:
- Inherent Profile - When predictive data is not available for the company and when there is no order, or when there is an order that is not yet approved and completed
- Predictive Profile - When predictive data is available for the company and when there is no order, or when there is an order that is not yet approved and completed
-
Attested Profile - This status is displayed when the third party approves the request and attests the associated assessment.
- For non-validated assessments, the request is considered complete at this point.
- For assessments with validation pending, this status is displayed when the request is in the validation process but validation has not yet been completed.
- Validated Profile - This status is displayed when the third party has approved the request and attested the assessment associated with that request and an assessor has completed the validation process. Only applicable to assessments with validation.
Depending on your strategy, not all third parties may require an attested or validated assessment. To provide visibility where necessary, an Inherent Profile can help you prioritize the third parties in your portfolio, and from there, you can decide the next steps. If a vendor has low to medium impact, you can leverage our Predictive Profile, which uses outside-in, industry, and CyberGRX Exchange data with up to 91% accuracy to predict how a third party would respond to assessment questions to possibly forgo the need for an assessment. If a third party has a medium to high impact on your business, and you determine an assessment may be necessary, then view if an assessment is available in the Exchange to request its data or make an assessment request. If you have internal mandates or must comply with regulatory requirements and a validation is required, request a validated assessment.
What is the difference between the contact listed on the Portfolio Manager Table vs the recipient listed when requesting an assessment?
- The contact listed on the Portfolio Management Table associated per company, is the third party user that is either the Account Administrator or the Assessment Owner. It will denote when hovering over the individual's name whether they are the Account Administrator or the Assessment Owner. This is listed for the purposes of providing the name of the most relevant contact at that company who oversees the assessment as a whole. If an Account Administrator is listed they have the ability to action assessment requests, the Assessment Owner does not however.
- The recipient listed when requesting an assessment, if pre-populated, is the third party user that has the Data Request Authorizer role. After you request an assessment, the listed contact in that field is the individual who will receive an email notification regarding the pending request. They are also the ones will action the request in-platform. If a user at that company does not have the data request authorizer role, it will default to displaying the Account Administrator instead since they can also respond to/action assessment requests.
Comments
0 comments
Please sign in to leave a comment.