Reporting & Analytics: Reporting on Residual Risk Flashcards
Reporting on Residual Risk
-Third party profile and business owner
-Risk rating and impact stating
-Assessment information
-Assessment results, to include remediation plans and target dates
Third Party Assessment Report:
Third Party Profile
Included:
-Third Party: organization’s name
-Description of Service
-Third Party Contact
-Third Party URL
-Owning Business Unit: department who contracted third party
-Relationship Owner: relationship owner name, title, department, and phone number
Third Party Assessment Report:
Risk Rating and Impact Statement
Included:
-Inherent Risk Rating: Critical, High, Medium, Low
-Residual Risk Rating: Critical, High, Medium, Low
-Impact Statement: short paragraph on the impact vendor could have on the organization should they fail
Third Party Assessment Report:
Assessment Information
Included:
-Assessments Performed: info on assessments performed
-Assessed By: name, title, department, email, and phone number
-Scope: date range tested and/or what the focus of the assessments were on, to include specific applications reviewed
-Scope Limitations: what didn’t you look at
Third Party Assessment Report:
Assessment Results
*Assessment results are the only information that you would potentially share with the third party. this is because you don’t want to share too much information for leverage and legal reasons.
Included:
-Working Well: paragraph on controls that are working well.
Business owner can be defensive about results so say what’s working well
Issue Matrix:
-Capturing for the business what you found. Include issue category so you can quickly see the issues.
Included:
-Issue Category: quickly see the issue. E.g. Data, Privacy, Financial
-Issue Description: Best practice include a short description of the test performed or control reviewed, what best practices is that they did not meet, and the specific issue found. May want to include an impact statement.
-Explain why you’re doing certain assessment this can be a NIST standard or regulation, anything you’re measuring the third party against.
-Risk Rating: Critical, High, Medium, Low.
-Action Plan & Target Date: best practice insert an initial action plan for your third party to review to ensure they know what your expectation is; however, do not make it too prescriptive. E.g. Encrypt data at rest within all systems ABD data resides.
-Risk Rating Upon Remediation: Note what the rating will be once remediated. Critical, High, Medium, Low.
Third Party Assessment Report:
Appendix
Included:
Risk Rating: Insert risk rating description E.g. critical risk = significant impact to the organization should the finding be realized
-Appendix you’re describing your risk rating to the reader. Created based on your enterprises risk rating for your organization. Mirror the risk rating of your internal audit team for consistence.
-Evidence Obtained: information obtained and reviewed. Specifics on data: Type, Amount, Data Flow Details, Transmission Manner/Method
-See exactly what was reviewed
Third Party Assessment Report:
Sign-Off
Included:
-Insert Approvals Required: may require approvals for high risk third parties, risk acceptances, or escalations. May require sign-off for the review of the report by the Business.
Third Party Assessment Report:
Confidentiality Statement
Include statement about confidentiality and distribution of this report.
-recommend not sending the report in its entirety to the to the third party, however you may want to send the issue matrix to the third party for validation and to confirm action plans and target date.
-So they don’t share it around.
