Organizations using BreachSight can choose to create and share their risk waivers to help other organizations understand the compensating controls they have in place for a given risk. Using risk waivers information shared by your vendors will save time having to chase that information directly with the vendor if you are satisfied with the compensating controls they have in place for a given risk.
When you are monitoring a vendor in UpGuard, you will be able to see if a vendor has any public (shared) risk waivers, review the information associated with those risk waivers, and choose to accept those risk waivers. This will remove the risk from that vendor's risk profile and adjust the vendor rating in the same way as a risk waiver created by a user within your own organisation.
In this article you will learn how to find public risk waivers available for your monitored vendors, review them, and choose to accept or ignore those waivers.
Viewing Public Risk Waiver information for Vendors
When you first monitor a vendor along with their public overall security rating you will be able to see if they have public risk waivers available, and the potential effect that they will have on that vendor's score. You will need to monitor the vendor to see the public risk waiver details including justification for waiving those risks.
If you are already monitoring a vendor, you will be able to see which vendors have public risk waivers available on the Vendors page, and you can see the potential effect that the public risk waivers will have on that vendor's score by hovering over the i icon next to the vendor's score.
From the Vendor Summary page you can see the count of pending public risk waivers, labeled as shared, and click through to review these risk waivers on the Risk Waivers page.
Public risk waivers created and shared by your vendor will be labeled as shared on the vendor's risk waiver screen. Public risk waivers that have not been reviewed will be labeled as pending. To review the detailed waiver information provided by the vendor, click the arrow to the right of a pending shared waiver.
Once you have reviewed the waiver information you can choose to accept the waiver, removing the risk from that vendor's risk profile and adjusting their rating accordingly. Alternatively, if you are not satisfied with the compensating control information provided by the vendor, you can chose to ignore that risk waiver.
If you have accepted the waiver, the status will be changed from pending to active. You can review and change the status of a waiver at any time.
If an organisation changes the conditions of a public risk waiver that you have accepted, you will receive a notification directing you to review the waiver. To learn more about how to configure your notifications see What are Notifications in UpGuard.