How to use risk waivers in BreachSight

Learn how to use risk waivers to accept identified risks in your own infrastructure with UpGuard.

Written by Abi Tyas Tunggal

Risk waivers enable you to accept specific web risks that have been automatically detected for your company. Accepting a risk for a given set of websites will stop the risk from appearing in the Risk Profile and from impacting on the internally-reported score for your company. Note that it will not impact how your risk profile and score appear if someone outside your company looks it up.

Risk waivers can be used if UpGuard is identifying a risk that in your particular case (often due to compensating controls you have in place), is not actually a risk. 

Creating a risk waiver

To create a new risk waiver, first navigate to the Risk Profile page. From there, you can click on “Create risk waiver” or click on the Risk Waivers sub-menu item in the sidebar navigation.

When creating a new risk waiver, you must first select the risk that you want to waive. Then you may choose to create this waiver for all domains & IPs, or selected domains & IPs. If waiving a risk for all domains & IPs, all assets that currently have that risk detected, plus all assets that have that risk detected in the future will have the risk waived.

On the next step, you can specify whether this waiver requires approval from someone other than yourself. If it does not require approval, it will become active immediately. Your account admin can set approval control via the Settings page, to nominate authorized approvers and institute a mandatory approval step.

Next, you can choose to make this risk waiver public or keep it private, and set an expiry date for the waiver. If a waiver has an expiry set and it elapses, the waiver will become inactive and the waived risk will again start impacting your risk profile and overall score. You will be sent a reminder before the risk waiver expires.

Managing risk waivers

The Risk Waivers screen (accessible via a sub-menu in the side navigation when the Risk Profile page is selected) allows you to view all current and past waivers for your company.

To see the details of a waiver, click on its row in the table. Depending on the status of a given waiver, you can cancel, change its approver, or change its expiry date.

Only risk waivers that are “active” impact your risk profile and overall score. 

See also: