Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Weighting-specific best practices:

  • When building weighting into questionnaires, first determine a range of weights to apply to questions based on the impact the answer to those questions has on overall risk.
    • For example, 1-10 with 1 being the least impact and 10 being the most impact.  For a question who’s answer minimally impacts risk, assign a weight of 1 to this question.  Alternatively, for a question who’s answer has the greatest impact on risk, assign a weight of 10 to this question.
  • Only assign weights to the radio button (and sometimes, using caution, checkbox) question type.  All other question types should receive a weight of 0 due to the fact that, at this stage, the answers to the other question types must be analyzed by the questionnaire evaluator at your organization to determine any associated risk.  By assigning a weight of 0 to these other question types, you avoid throwing off your pre-determined impact range.
  • Risk score for an individual question = weight x multiplier.  Thus, for Yes/No or True/False questions, assign multipliers of 0 or 1.  By multiplying the weight x 0, no weight is applied, meaning this answer to this question indicates no risk to your organization.  By multiplying the weight x 1, the weight is applied, meaning this answer to this question indicates risk to your organization.
    • Option 1:  Yes (Multipler = 0.  Thus, weight of 10 x multiplier of 0 = risk score of 0, meaning that by being SOC 2 compliant, no risk is identified.)
    • Option 2:  No (Multiplier = 1.  Thus, weight of 10 x multiplier of 1 = risk score of 10, meaning that by not being SOC 2 compliant, great risk is identified.)
    • For example, Question C.1 - Is your organization SOC 2 compliant?  (Assigned weight is 10, meaning that the answer to this question has the greatest impact on risk to my organization.)
  • Multipliers may be utilized to assess maturity as well, while keeping in mind pre-determined weight impact range.
    • Option 1:  Non-existent.  No defined information security program.  (Multipler = 2. Thus, weight of 5 x multiplier of 2 = risk score of 10, meaning that great risk is identified.)
    • Option 2:  Ad-hoc. Some documented processes to capture infosec compliance.  (Multipler = 1. Thus, weight of 5 x multiplier of 1 = risk score of 5, meaning that some risk is identified.)
    • Option 3:  World class.  Compliant with numerous infosec frameworks.  (Multipler = 0. Thus, weight of 5 x multiplier of 0 = risk score of 0, meaning that no risk is identified.)
    • For example, Question D.1 - How would you characterize your organization’s overall information security program? (Weight = 5)
  • Utilize the Comments section of the object in which the questionnaire was sent out in relation to in order to capture questionnaire review notes.
    • “See attached ‘SOC 2’ report to Question C.1.1.  Not a true SOC 2 report.”
    • For example, my recipient answered Yes to Question C.1 - Is your organization SOC 2 compliant?  I had created a file upload subquestion (C.1.1) asking my recipient to upload their most recent report (but assigned a weight of 0 to this file upload question).  After reviewing the attached file, I realize that it is not a true SOC 2 report. Therefore, as I review the questionnaire responses, I write a comment that states:
    • When changing Risk Rating of a vendor object for this reason, ALWAYS input a comment in the text box below the “New value” dropdown to capture why (with associated user make the change and date/time stamp captured).
  • In the right-hand weighting panel, use the automatically calculated Min and Max scores (based on the sum of individual questions’ risk scores) to assist in designating Mid and High Risk Thresholds.
  • No labels

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com