Risk Calculations
VISO TRUST provides a platform to streamline risk calculations with a simple 3 step wizard, resulting in the initial Inherent Risk. Leveraging VISO TRUST's proprietary and patented AI functionality, assessments across all third parties can be extracted directly from the documents you receive from vendors today, ranging from third party audits (ISO27001, SOC 2 Type 2, PCI DSS) to security overview documents and other self-attestations, which then provides the overall residual risk of the third party assessment.
Let's take a look at the different components that go into the risk calculations with VISO TRUST.
Risk Levels
Inherent and Residual risks are labeled as seen below. Label names can be customized in order to align with how risk is tracked at your organization.
- No Access
- Low
- Medium
- High
- Extreme
Inherent Risk
Inherent Risk is the risk level that exists without the presence of controls or mitigations for that third party. Inherent Risk is calculated by using the selected Business Case(s) and Organizational/Customer Data Type(s). In VISO TRUST, this is found as the Relationship Context
- Business Case (Control Domain Mapping) - https://app.visotrust.com/controls
- By selecting the business case(s) associated with the third party, this determines the attack surface profile of that vendor, displayed as the scoped control domains needing to be validated during the assessment.
- Data Types - https://app.visotrust.com/data-types
- Data Types are broken down into Organization and Customer Data Types. This allows for the user to be explicit in specifying which either organization (internal) or customer (external) data types the third party potentially has access to, as well as associating the appropriate sensitivity level to be calculated into the Inherent Risk Score. Each Data Type is categorized into different Sensitivity levels, which can be customized per the organization's needs.
Residual Risk
Residual Risk is the remaining risk once an assessment has been completed, validating the Control Domains applicable to the third party, scoped via Relationship Context, with information/documents provided from the third party.
- Artifact Types - https://app.visotrust.com/audit-types
- Artifacts are any information/documents received from the third party during an assessment. The artifacts are processed using VISO TRUST's Artifact Intelligence, in order to properly classify and identify any detections satisfying in-scope controls domains for the assessment. Each Artifact Type has an Assurance Level, which determines the impact of the Artifact Detection against the Inherent Risk. The aggregated detections across all Artifacts results in the remaining Residual Risk, for the organization to review.
- Artifact Types are categorized into one of the following:
- Third Party Audits
- Penetration Tests
- Privacy Documents
- Other Attestations
