主权项 |
1. A risk assessment system, the system comprising:
a database configured to store a set of information technology (IT) information risk factors, a set of business profile risk factors, a set of IT control risk factors, client entity information comprising at least one client entity, and third party entity information comprising at least one third party entity, where a third party entity in the third party entity information comprises publicly available data associated with the third party entity and an IT security control assessment associated with the third party entity, where the IT security control assessment measures IT information risk associated with network infrastructure of the third party entity; memory configured to store a scoring application; and a processor; wherein an IT information risk factor in the set of IT information risk factors comprises relationship risk information, where the relationship risk information comprises relationship risk factors and a business relationship between a client entity in the client entity information and a third party entity in the third party entity information; wherein a business profile risk factor in the set of business profile risk factors describes the risk to a client entity in the set of client entity information doing business with a third party entity in the set of third party entity information; wherein an IT control risk factor in the set of IT control risk factors describes the maturity of IT security controls for a third party entity in the third party entity information; wherein the database is configured to receive additional IT information risk factors and store the additional IT information risk factors in the set of IT information risk factors; wherein the risk assessment system is accessible to a plurality of client machines, where at least one of the client machines in the plurality of client machines is associated with a client entity in the client entity information stored in the database; wherein the risk assessment system is accessible to a plurality of third parties machines separate from the plurality of client machines, where at least one of the third party machines in the plurality of third party machines is associated with a third party entity in the third party entity information stored in the database; and wherein the scoring application configures the processor to:
select a target client entity in the client entity information;select a target third party entity in the third party entity information;generate a relationship risk score for the target client entity and the target third party entity based on the relationship risk factors and the relationship between the target client entity and the target third party entity;generate a business profile risk score based on the relationship between the target client entity and the target third party entity and a subset of the set of the business profile risk factors;generate an IT control risk score based on the subset of the set of the IT control risk factors associated with the target third party entity;generate an IT information risk score based on the business profile risk score and the IT control risk score;generate an IT risk score based on the IT control risk score and the relationship risk score;generate a risk score based on the IT information risk score and the IT risk score, where the risk score describes the risk associated with the target client entity sharing data with the target third party entity; andstore risk score using the database.
|