Your CSR score comprises a weighted average of the CSR scores of your domains with the CSR scores of monitored vendors that you have marked as in-use. Domain scores in turn comprise of a weighted sum of the risks that have been identified for each domain, with more severe risks weighing a score down more. If you have asked any of your monitored vendors to complete a questionnaire, if any potential risks are identified from their responses, those risks also factor into their score, and in turn your score if you have marked them as in-use.
Risks identified on your own domains are weighted higher than those identified for your in-use vendors. You should therefore start by focusing on your own external risk posture. Navigate to your Risk Profile and identify high severity risks with your own domains.
Next focus on your in-use vendors. On your Risk Profile page, locate the risk category Vendors have potential security risks to identify which vendors should be focussed on first. You can request remediation from vendors for both risks with their external web assets, and risks identified through questionnaires.
Scores are calculated whenever websites are scanned, or questionnaires submitted. Websites are scanned at least once a day, so for companies with multiple websites, scores are generally calculated multiple times a day.
As changes are made to websites (for instance, to remediate risks), these changes should appear in CyberRisk within 24 hours. Certain changes however may take longer (up to 2 weeks). This delay occurs for a number of reasons, including for instance ensuring false positives don’t appear within the scan results. If you believe a risk is being incorrectly identified after a 2 week period, please contact UpGuard Support or your Account Manager to investigate further.