Portfolio Insights | FAQ

Portfolio Insights performs portfolio-level mappings to a selected framework or threat profile so that you can easily identify, evaluate, and prioritize your poorest-performing third parties and underperforming controls from the most meaningful perspective for your risk management activities.

Table of Contents

• How to use Portfolio Insights? 
• Portfolio Insights Data Interpretation
• Why would I want to use Portfolio Insights? 
• What is in the downloadable excel report? 
• Can I use a custom framework with Portfolio Insights? 

How to use Portfolio Insights? 

1. Access this feature by clicking the Portfolio Insights icon on the left navigation bar.
2. Upon page load the 'ProcessUnity Cyber Risk Questionnaire' framework will be automatically mapped to. 
3. You may select a different framework to map to by selecting one in the dropdown, which will then immediately begin performing the mapping. The three most frequent frameworks that are mapped to by your company's users will be listed at the top for quick access. 
   
   
4. The visuals populate when the mapping is complete. Priority Third Parties represent your top 50 poorest-performing third parties. Risk Registry Priorities list the poorest performing controls shared by priority third parties. 
5. To filter your dataset, choose from three options: Inherent Risk, Industry, and Tags. If you have filters applied and choose to export the data to an excel file, those filters will be applied across the entire excel document. 
6. To export the data found in the visuals or access your entire portfolio dataset beyond the top 50 third parties, there is the option to download this data as an Excel file by selecting the ellipses in the top right.

   By clicking Download Excel, you're able to customize a downloadable report with the selection options below:

   

    

7. To map a different framework, you may select one from the dropdown. 

Portfolio Insights Data Interpretation

A ranking system is applied to all framework scores found in the Priority Third Parties visual for the purposes of contextualizing this score. This ranking system is also associated with each company’s framework score throughout the excel file. The score ranking system is as follows: 

Framework scores are calculated by defaulting to attested control data, when available, and supplementing with predictive data where lacking. The volume of attested control data leveraged out of the total controls incldued in the selected framework is listed alongside each company. If a company's attested count indicates 0 out of XX total, this conveys that predictive data was used for every control in the framework to calculate the overall score. This means that you do not have access to attested data for each control included in the framework. 

For more information regarding how the data itself is calculated, refer to this article.

Why would I want to use Portfolio Insights results?

Portfolio Insights is a powerful tool that can help you organize and understand the potential risks hidden inside your portfolio. Here are a few uses listed to help you get started:

• If you have no context of what is happening in your portfolio, you can use Portfolio Insights to understand the problem areas hidden in your portfolio when viewed through a Framework or Profile of your choosing to understand who your riskiest vendors are and what your most vulnerable controls are. 
• If you have limited time, money, or resources, you can select a Framework or Profile most relevant to your operations and then systematically decide which vendors or controls you want to tackle first. With a vendor, you can quickly reduce their access to data, request proof of coverage, request an assessment, or replace the vendor. Whereas if you have a vulnerable control across your entire portfolio, you can begin an internal mitigation strategy to be ready when the vulnerability is exposed.
• If compliance is a concern, you can select the appropriate compliance Framework to test which vendors could negatively impact your standings. 
• If security is your primary focus, selecting an appropriate Threat Profile can give your security team the information on where to look for potential vulnerabilities. 
• If you need to vet multiple vendors, you can add custom tags to each vendor and then test them through a Framework or Profile vital to you so you can only focus on the vendors whose risk is acceptable to your organization. 

What is in the downloadable Excel report?

The XML report contains all the information from Portfolio Insights but is interpreted differently across multiple sheets to allow you to decide how you want to use the data.

• Priority Third Parties (Top 50) - This lists your riskiest (most risky to least risky) vendors regarding the Framework or Profile selected. This is an opportunity to get a big-picture view of which vendors can potentially be problematic.
• Risk Registry - This view allows one to see each vendor and every one of their unmet controls. This will enable you to get granular and see where your vendors are, leaving you vulnerable.
• Risk Registry Priorities - This is a “control” focused list that shows you the most common unmet control and associated vendors. This gives you a big-picture view of vulnerable controls that are shared across all of your vendors. 
• Full Portfolio - This sheet offers a view of all vendors in your portfolio with their corresponding Framework Score, whether their calculation was based on Attested or Predictive, the number of Controls at Risk, and whether their Inherent Risk is High, Medium, Low, or Unconfirmed (meaning we currently do not have data yet.) 
• Framework Reference - A mapping of the Framework to the corresponding CyberGRX assessment. 

Can I Use a Custom Framework with Portfolio Insights?

Yes. Your Custom Framework should be an option from the dropdown menu containing our Frameworks and Threat Profiles library. If you do not see it, please get in touch with Customer Success.