The purpose of the is document is to outline the steps required in order to include compensating controls for risk affecting issues detected during a Network and Security Assessment and how to prevent those issues from affecting your client's risk score and overall issue score.
The Client Risk Report included with Network Assessment Module and the Security Risk Report included with the Security Assessment Module contain 2 scores to illustrate the risk affecting issues on the network.
Risk Score - The risk score is the value of the Issue that poses the greatest risk on the network.
Overall Issue Score - The Overall Issue Score is the sum total of all the issues detected on the Network.
While these scores are based on industry-wide best practices there will be cases where MSPs might have their own best practices for guarding against these risks or there might be a case where a false positive might be contributing to the risk affecting issues. For these reasons, Rapidfire Tools has included the option of generating an Issue Exceptions worksheet which allows users to include compensating controls and prevent these issues from affecting the scores.
The process for utilizing an Issues Exception worksheet is as follows:
Complete your Network and/or Security Assessment to it's entirety. This means all required checklist items have been satisfied. See the example below. Notice there are 0 required items for both the Network and Security Assessment portions of the project.
NOTE: The option to Generate an Issue Exceptions Worksheet will remain grayed out until ALL the required checklist items have been satisfied.
Once all the checklist items of the project have been satisfied click the Generate Issues Exceptions button in the Inform section of the project (see below). This will build the worksheet with all the issues listed in the risk reports.
Open the worksheet to review the list of risk affecting issues. Adding a compensating control in the Optional Response field for a specific issue will prevent that issue from affecting the Risk Score and reduce the value of the Overall Issue Score in the Client Risk Report. It will also place a strike through the issue in the report and include your response below the issue explaining your compensating control.
Save the Issues Exceptions worksheet and generate your Client Risk Reports and Management Plan reports again (see below). In the example below the Overall Issue Score went down by 507 points and the Issue has a strike through it with the compensating control below it.
BEFORE Compensating Control:
AFTER Compensating Control: