As suppliers signup to the platform and complete their security profiles, you can setup your policies within Risk Ledger and assign supplier tags to automatically calculate a compliance score.
What is Compliance?
Compliance is a measure of how many of the security controls that a supplier has implemented align with the requirements that you have applied over that supplier, within your applicable policies.
π‘To calculate a suppliers compliance you must have tags applied to that supplier. If there are no tags applied the compliance score will automatically sit at 100% as there will be no policies applied over their assessment. If this is the case the platform will display a warning message on the supplier overview page under the "Policies Applied" card on the right hand side of the page.
How is The Compliance Score Calculated on Risk Ledger?
A suppliers compliance score is automatically calculated by looking at the applicable requirements in your policies and comparing them against a suppliers assessment to give you a percentage output as a score.
The Suppliers Overview page gives you a quick snapshot of their overall compliance and highlights which domains are the most and least compliant.
You can view which controls are compliant and which non-compliant in detail by navigating to the "Assessment" tab.
You can filter for all compliant or non-compliant controls by selecting them in the "Filter by..." panel on the right hand side of the page.
To view further context for a control you can expand the control by clicking into it. From there you can see what your policy requires and can take action from there either by starting a discussion with your supplier, requesting remediation, or applying an exemption to the control (see below).
Applying an Exemption to a Non-Compliant Control
π‘If a supplier marks a control as N/A but your policy requires that control to be in place the platform will still mark that control as non-compliant. This is so that you do not miss any potential security gaps. To accept the N/A response as a compliant, you can apply an exemption to the control.
An exemption makes a non-complaint control compliant. An exemption is a way for you to remove the requirement for a supplier to have a control implemented. You may want to do this if a supplier falls under a requirement that, upon examination, you don't think is relevant to them.
To apply an exemption, please follow the steps below;
Navigate to a suppliers assessment page.
Locate the control that you would like to apply non-compliance against. Please note, you can only apply non-compliant against a control that is compliant.
Click on the control to expand it. To apply non-compliance, click the "Apply Non-Compliance" button.
Enter a reason for applying the non-compliance and click "Apply Non-Compliance".
You can remove the non-compliance by following the above steps for a control on which a non-compliance has been applied and the "Remove" button next to the "Non-Compliance Applied" box.
For non-compliant controls you can request that a supplier remediate the control.
Apply Bulk Exemptions or Non-Compliance:
You can apply exemptions or non-compliance to multiple controls at once by selecting the controls using the tick-box to the left of a control and selecting "Apply to Selected" button on the top right corner of the assessment page.