Versions Compared

Old Version 1

changes.mady.by.user Tristan Mohn

Saved on

compared with

New Version 2

changes.mady.by.user Tristan Mohn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Weighting-specific best practices:

...

  • For example, 1-10 with 1 being the least impact and 10 being the most impact.  For a question who’s answer minimally impacts risk, assign a weight of 1 to this question.  Alternatively, for a question who’s answer has the greatest impact on risk, assign a weight of 10 to this question.

...

  • Option 1:  Yes (Multipler = 0.  Thus, weight of 10 x multiplier of 0 = risk score of 0, meaning that by being SOC 2 compliant, no risk is identified.)
  • Option 2:  No (Multiplier = 1.  Thus, weight of 10 x multiplier of 1 = risk score of 10, meaning that by not being SOC 2 compliant, great risk is identified.)
  • For example, Question C.1 - Is your organization SOC 2 compliant?  (Assigned weight is 10, meaning that the answer to this question has the greatest impact on risk to my organization.)

...

  • Option 1:  Non-existent.  No defined information security program.  (Multipler = 2. Thus, weight of 5 x multiplier of 2 = risk score of 10, meaning that great risk is identified.)
  • Option 2:  Ad-hoc. Some documented processes to capture infosec compliance.  (Multipler = 1. Thus, weight of 5 x multiplier of 1 = risk score of 5, meaning that some risk is identified.)
  • Option 3:  World class.  Compliant with numerous infosec frameworks.  (Multipler = 0. Thus, weight of 5 x multiplier of 0 = risk score of 0, meaning that no risk is identified.)
  • For example, Question D.1 - How would you characterize your organization’s overall information security program? (Weight = 5)

...

  • “See attached ‘SOC 2’ report to Question C.1.1.  Not a true SOC 2 report.”
  • For example, my recipient answered Yes to Question C.1 - Is your organization SOC 2 compliant?  I had created a file upload subquestion (C.1.1) asking my recipient to upload their most recent report (but assigned a weight of 0 to this file upload question).  After reviewing the attached file, I realize that it is not a true SOC 2 report. Therefore, as I review the questionnaire responses, I write a comment that states:
  • When changing Risk Rating of a vendor object for this reason, ALWAYS input a comment in the text box below the “New value” dropdown to capture why (with associated user make the change and date/time stamp captured).

...

Overview

...

Under construction