Third-Party Risk Questionnaires and Security Risk Ratings

Current "Third Party or Vendor Risk Questionnaires" are things like Standard Information Gathering (SIG) and SIG-Lite, which have hundreds of questions that an organization must answer. Organizations dedicate hours from resources to gather the answers to these questions, often having to update and adjust constantly. The current market for answering questionnaires like this revolves around creating a shared repository to distribute to vendors. But do these questions provide that much value? With so many questions to answer on just about every topic in security, it takes even more time to go through these answers to potentially find things' wrong' or 'risky' with an organization. These questions often involve asking something about the internal posture of an organization with few to no questions about the external presence, posture, and monitoring.

The Correlation Evidence Questionnaire (CEQ) from ThreatNG uses the resulting data set from our external data gathering to ask questions about an organization or third party about how they monitor “beyond” their perimeter. These questions only appear when evidence of a corresponding investigation module is found, making these dynamic to the external attack surface and digital footprint. These questions are arguably more important than the 'internal process' type of questions found within other solutions (though both are important). The “assets” identified from an external attack surface and digital footprint discovery/assessment are what an adversary is actively looking at, enumerating, and testing. Focus on these assets should take precedence over the internal 'how do you do this' questions.

Within these Questionnaires often comes a 'Security Risk Rating' that takes external assets, grades them, and creates a score. The data associated with these "scores" is often in question (a question of ownership, accuracy, risk appetite, etc.). These scores do not take into consideration cloud infrastructure and resources. “Security Risk Rating” solutions also require constant re-scanning to achieve accuracy and relevance with multiple scans per day to validate asset ownership. Speaking of “assets”, these solutions do not provide a complete picture of an organization’s digital footprint and only include the following as part of their scores: domains, subdomains, and IPs.   These solutions are purely technical with no other sources, archives, code repositories, cloud, people, news, etc., and paired with questionnaires for third-party risk management. An adversary, competitor, third party, etc., are looking for the path of least resistance opportunities and the entire digital footprint of an organization from technical (domains, subdomains) to reputation (Social Media) to business (lawsuits, internal strife, people). These exist beyond the perimeter and make up a genuinely holistic TPRM (Third Party Risk Management) view. A view for organizations to take advantage of, combined with a custom risk appetite score to get a TRUE grade of how your organization evaluates its risks and third parties.  

ThreatNG makes self-monitoring your external footprint and your third parties straightforward with the combination of all the following in our platform:

• Correlation Evidence Questionnaire (CEQ)

• Risk Appetite Customization and Scoring (code-named DarcRadar)

• Digital Risk Management

• External Attack Surface Management 

Our CEQ is dynamic for answering questions based on the evidence we see within our platform. Nothing esoteric or hand-waving internal processes. Since we are outside, these answers should be clear, concise, and have actions directly associated with them.

Our Risk Appetite Customization and Scoring takes YOUR risk appetite into account for what you view as a risk to your organization internally and externally (third parties). Our score has no fluff, and all our fields have direct, actionable tasks.  

The ThreatNG platform empowers users of all technical competencies to discover, assess, report, and collaborate across functional silos to address what YOU view as business and technical digital risk.