Security Profile
- Overview
- Navigate Security Profile
- Controls and checks
- Review checks
- Mark a control as not applicable
- Change control template
Overview
Security Profile gives you an overall snapshot of your vendor’s security posture by assessing evidence against specified controls.
- You’ll monitor and tier a vendor. A vendor’s tier determines what control framework they’re evaluated against. We’ve created four pre-built, default, control templates and mapped them to tiers, but you can tailor these or build your own using our library of 500+ checks.
- Upload evidence. Evidence fuels security profile, it’s what we use to understand if (or how fully) checks are met. In most cases you’ll add evidence, but for some of our customer’s most common vendors, UpGuard has pre-added publicly available relevant evidence for you.
- Analyze UpGuard’s AI parses the evidence, comparing it to the designated controls. Security Profile flags risks and highlights where controls are: not, partially, or fully implemented (or where there’s no evidence).
From here, you’ll work through the evaluation and take stock of the vendor’s security posture. You can make any necessary adjustments, kick-off a remediation workflow for risks, request additional evidence and ultimately run an assessment.
Navigate Security Profile
Security Profile is available for any vendors you’re currently monitoring.
- Click the Vendor Risk icon in UpGuard’s left-hand navigation panel.
- Ensure you’re on the Vendor’s tab.
- Select a vendor (or monitor a new vendor).
- Select Security Profile from the expanded options under the vendor’s name in the left-nav.
- Summary. A donut chart showing: how many controls the vendor is being evaluated against, if evidence is missing or if the control is: not, partially, or fully implemented.
- Controls. Lists all of the controls the vendor is being evaluated against. Click a control to see a description and contributing checks.
- Control management. Shows the control template currently being used. Use this dropdown to: switch to another control template, modify the controls for this specific vendor, or manage templates.
- Gap questionnaire details. Sent gap questionnaires appear here. Click the status to see questionnaire details.
- Risk assessment details. Start a risk assessment from here or view details about in progress or completed assessments.
- Evidence. Add or view evidence associated with the vendor.
- Domains and IPs. View or filter the vendor domains and IPs included in the evaluation.
Controls and checks
The Controls section shows all of the controls a vendor is currently being evaluated against on Security Profile.
Control hierarchy
Security Profile uses a hierarchical structure to organize and categorize checks. From highest to lowest level:
Term | Description |
Domains | 7 top-level categories (ex: asset management, risk management). Domains are used strictly for organizational purposes. |
Family | Subcategories within a domain (ex: DNS security, website security). Used strictly for organizational purposes. |
Controls | An overall objective made up of one or multiple checks. These are what you see listed on the controls panel in Security Profile. |
Checks | A specific criteria that contributes to a parent control. When there is corresponding evidence, checks are either marked as ‘passed’ or flagged as a risk (and assigned a severity). There are 500+ available checks. |
Control statuses
Controls are assigned one of four statuses based on available evidence. Before evidence is added, the majority (or all) controls will say “No evidence”. That’s expected; statuses will start updating as you gather evidence.
Control status | Definition |
Fully implemented | All checks for a given control are met. |
Partially implemented | Some checks for a given control are met, and some require further evidence. |
Not implemented (risks found) | At least one risk was identified for a given control. |
Evidence required | There is no evidence to inform status of a given control. |
Check Results
UpGuard scans evidence and uses our own automatic scanning to evaluate checks. Checks can have:
- No evidence: there is no evidence to evaluate if this check is a risk or passed.
- Risk detected: a risk associated with this check was found. You’ll see a severity associated with the detected risk.
- Check passed: no risks associated with this check were found.
Review checks
- Click the Vendor Risk icon in UpGuard’s left-hand navigation panel.
- Ensure you’re on the Vendor’s tab.
- Select a vendor (or monitor a new vendor).
- Select Security Profile from the expanded options under the vendor’s name in the left-nav.
- Use icons next to a Control to see if evidence is missing, ifcontrol has associated risks, or if it’s been fully implemented.
- Click a control from the Controls list.
- Review icons to a check’s left to see if a check passed, is a risk, or is missing evidence.
- Click Manage risk on checks where a risk is detected.
- Select Request remediation or Waive this risk. Each option takes you to to corresponding workflow: either risk remediation or risk waiver.
Mark a control as not applicable
Mark a control as N/A when the vendor should not be evaluated against that control. This section is for exempting a vendor from a particular control. Alternatively, you can apply a different control template, create a custom template or edit templates to exempt the vendor from an individual check.
- Click the Vendor Risk icon in UpGuard’s left-hand navigation panel.
- Ensure you’re on the Vendor’s tab.
- Select a vendor (or monitor a new vendor).
- Select Security Profile from the expanded options under the vendor’s name in the left-nav.
- Click a control from the Controls list.
- Click Mark as N/A.
- Select Yes, mark as N/A.
The control will still be visible on Security Profile (marked as N/A), and the vendor will no longer be assessed against it. Any risks associated with the control will still be visible on Risk Profile.
Change control template
Control templates are automatically applied to a vendor based on their tier. You can update the template the vendor is being assessed against at any point.
❗Manually changing a vendor’s control template removes it from the automatic update flow. Example: tier 3 vendors are assigned to the ‘Lite controls’ template. You make an update: tier 3 vendors now use the ‘Core controls’ template. UpGuard automatically updates your tier 3 vendors to the ‘Core controls’ template. This automatic change does not apply to vendors whose template was manually changed.
- Click the Vendor Risk icon in UpGuard’s left-hand navigation panel.
- Ensure you’re on the Vendor’s tab.
- Select a vendor (or monitor a new vendor).
- Select Security Profile from the expanded options under the vendor’s name in the left-nav.
- Click the dropdown showing the control template currently applied in the Controls upper-right-hand corner.
- Select a template from the dropdown.
- Select Switch template.
The list of controls will immediately update and you’ll see how the vendor performs against these controls.