Table of Contents
- How to interpret the framework control score
- How are the framework control scores calculated
- How the finding severity is calculated
- How the maximum impact is calculated & how to use it
- Frequently Asked Questions (FAQ)
How do I interpret a Framework Control Score?
A ranking system is applied to all framework control scores found in Risk Navigator for the purposes of contextualizing this score. The score ranking system is as follows:
| Score Interpretation | Framework Control Score Ranges | Description of Framework Control Score Rating |
| Very Poor | 0 to 49 | Very Poor indicates minimal coverage and substantial risk. |
| Poor | 50 to 69 | Poor indicates some coverage and significant risk. |
| Fair | 70 to 79 | Fair indicates moderate coverage and risk. |
| Good | 80 to 89 | Good indicates significant coverage and limited risk. |
| Very Good | 90 to 100 | Very Good indicates maximum coverage and minimal risk. |
How is the Framework Control Score calculated?
The framework control score is a weighted average of mapped control scores. Primary controls are weighted more heavily than supporting controls in the calculation. Depending on the mapping, there may be zero, one, or many controls for every Framework control. The score returns a value between 0% - 100% (high risk to low risk.)
The source (attested or predicted) and the answer are the contributing control score factors. The chart below shows the possible scores our analytics algorithm may assign a given control based on the response provided or predicted.
How is the finding severity calculated?
A finding severity is calculated differently based on whether the control is a MITRE control or a Critical Control, whereas if they are neither of these. More information on specific Finding calculation logic can be found here.
How is the maximum impact data calculated? How do I use it?
Maximum impact conveys the maximum impact per control, derived using your company's responses to that particular third party's Impact Questionnaire. Each control is mapped to at least one impact question. Based on the mapped impact question(s) response(s), the maximum impact derived using those responses indicates what the highest degree of impact on your organization could be if the given control were lacking appropriate risk mitigation measures. The possible maximum impact values are:
- Significant: The third party manages or provides a critical service, function, or regulated duty for one or more business assets
- Moderate: The third party has routine access to sensitive resources, maintains infrastructure, or provides customized services for one or more business assets
- Minimal: The third party has only limited, ad hoc, or tightly controlled access to one or more business assets
- Least: The third party has little or no access, engagement, or involvement in any business asset
This can be leveraged to gain insights into which control findings are relevant through the lens of your business relationship with a given company. To best isolate which control findings are most relevant, it is recommended that you leverage filters in the Risk Navigator feature to filter on those findings that have 'Significant' and 'Moderate' maximum impact. It will result in the displayed data set only including those control findings that your company has significant or moderate engagement with the third party.
Here is more information on how to answer the Impact Questionnaire.
Frequently Asked Questions (FAQ)
- Do “N/A” answers for a GRX Control negatively impact the Framework Control Score?
- Would a validated assessment change the Framework or GRX Control Score?
- What is the 'ProcessUnity GRX Assessment - Risk Domain' mapping the assessment results to?
- What do the statuses in the “Score Basis” column mean?
- What does each status in the “Validation Status” and "Evidence Type" columns mean?
- How can a control be 'Not Validated' but have Evidence Type's provided?
- What do the statuses in the “Answer State” column mean?
- Where do I view third party provided comments for a given the GRX sub-control?
- How is the "Finding Severity" data calculated?
Do “N/A” answers for a GRX Control negatively impact the Framework Control Score?
No. We do not hold “N/A” answers against the third party.
Would a validated assessment change the Framework or the GRX Control Score?
No. Validation does not change the scores calculated.
What is the 'ProcessUnity GRX Assessment - Risk Domain' mapping the assessment results to?
The 'ProcessUnity GRX Assessment - Risk Domain' framework is the default assessment mapping that is applied upon page load for a given company profile. It is a direct mapping to our GRX assessment, grouped by risk domains at the framework control group level. Due to the nature of how our mappings are performed, this mapping only includes question content and data at the sub-control level. It does not include maturity, control family, control level, or metric level questions. As a result, there are a total of 220 mapped controls in this framework when mapped to either a Tier 1 or Tier 2 assessment.
What do the statuses in the “Score Basis” column mean?
The Score Basis is used to let you know what type of data was used to calculate the scores. The statuses include:
- Attested Metrics – the control score is based on Tier 1 answers and includes strength, coverage, and timeliness fidelity
- Attested Control – the control score is based on Tier 2 answers at a Yes/No fidelity
- Attested NA – the control was answered with a 'Not Applicable' response
- Predictive Control – the control score is a predicted value
- Unavailable – neither predictive nor attested results are available for this control
What do the statuses in the “Validation Status” and "Evidence Type" columns mean?
The Validation Status column is used to inform the “state” of each mapped ProcessUnity GRX Control. The statuses include:
- Not Validated - the evidence was provided, but it was inadequate to determine if the control is in place
- Validated - all of the validation criteria have been met
- Not Selected - the GRX did not require evidence validation for this control
- Pending Review - the GRX Analysts are in the process of evaluating evidence provided by the Third Party
- Not Applicable - the control is not a GRX 60 critical control; the assessment being mapped to does not include validation.
The Evidence Type column is used to indicate what type of evidence was provided by a third party to validated a requested control. The statuses include:
- Written – evidence in a narrative documentation format. Examples include policies, procedures, emails, etc.
- Demonstrated – any type of primary, technical evidence. Examples include actual live demonstrations, screenshots, exports, etc.
- Verbal – any evidence which is self-attested. Examples include discussions, written notes or explanations, previously completed self-assessments, etc.
- No Evidence – evidence was not provided by the third party
- Not Applicable – control is not a GRX 60 Critical Control; assessment being mapped to does not include validation
How can a control be 'Not Validated' but have Evidence Type's provided?
- It is possible for a control to be ‘not validated’ that does have an evidence type provided. This indicates that the third party did provide evidence, but it wasn’t adequate enough to fully validate the control.
What do the statuses in the “Answer State column” mean?
The Answer State column is used to communicate the third party’s answer to the control question. The status includes:
- Yes
- No
- NA (Not Applicable)
- Unavailable – The company did not have this control in their questionnaire
- Empty cell – Predictive mappings do not include an answer state
Where do I view third party provided comments for a given GRX sub-control?
The 'comment' column houses any comments provided by a third party for a given sub-control.
How is the "Finding Severity" data calculated?
-
Finding severity refers to the identification of a security, policy, or management weakness at the control level. The determination severity is based on a combination of the control’s effectiveness and classification, with those deemed critical or instrumental in preventing MITRE ATT&CK scenarios given extra scrutiny.
- A finding severity is calculated differently based on whether the control is a MITRE control or GRX Critical Control, whereas if they are neither of these. More information on specific Finding calculation logic can be found here.