Release Notes - 2024 September

Control Assessment Sources
You can now check where your control ratings for Capability, Coverage, and Reliability come from—whether it's a specific Questionnaire, a manual update, or an automated process. You will be able to view the tags associated with these controls.

Related customer feedbacks addressed:

• Updated rationale without changing maturity.  

• Added risk and likelihood indicators at the group level.  

• Improved UI Navigation for editing a group.

SAFE creates Known Hacks based on your environment's vulnerabilities, helping you stay ahead of potential threats. You can find these scenarios in the new Known Hacks tab within the Risk Scenario List. Each Known Hack gives you detailed info, like what it is and when it was first noticed.

You can now identify risks to your organization from specific threat actors or groups. You can also compare your organization's security with active threat groups and get helpful tips on preventing these threats. You can find these threat actors in the new Threat Actor tab within the Risk Scenario List.
You can find more information about each threat actor, like Geography, Industry, Attack Surface and when it was first noticed. You can view the list of all threat actors under Threat Center > Threat Actor.

You can now easily duplicate Risk Scenarios (RS) across multiple groups. This allows you to apply the same settings to different groups without having to recreate them.

SAFE now lets you set different auto-deletion times for various asset types. You can specify how long assets stay in the system based on the attack surface, like keeping cloud assets for just 2 days and people assets for 100 days. Customize these settings in the advanced section to manage your attack surface more effectively and keep your risk posture updated.

We've added a new interactive widgets for prioritizing Findings. You can choose between pie or bar charts and customize these at the Group, Risk Scenario, or Control level. The widgets cover key data points like Age of Findings, Exploitability, Finding Score, Source, Type, Failed Asset Count, and CAM Controls. This new widget helps you better visualize and prioritize your Findings.

All existing GCP SSC integration with SAFE has been updated to use Google's recommended new APIs.

Tanium Integration now includes the ability to pull fully qualified domain names alongside tag imports.

You can use filters to narrow down the questionnaires in the library. Additionally, the search feature lets you quickly find any specific questionnaire for easy navigation.

SAFE now inherently supports automated discovery of 50+ fourth parties for each third party. Additionally, you can also manually add and assess fourth parties connected to your third-party vendors. Just click Add Fourth Party, choose the organization, go to the Fourth Party tab, and link it. Then, click Evaluate Risk to manage the risks. It helps you see any security issues and automatically find SaaS vendors, making it easier to handle risk management with your subcontractors.

You can now upload and organize important documents related to third-party assessments and compliance in the Evidences tab. While uploading, tag documents to specific controls listed in the dropdown, and view them on the Controls Page. Admins and document owners can manage, download, and edit documents, while uploads support PDF, CSV, and image formats. You can also search and filter evidence by controls.

This new dashboard is specifically designed to provide a clear view of third-party risks with useful widgets and insights. You can find and add this dashboard from the Dashboard section of SAFE.

You can now easily export Outside-in Findings and Outside-in Risk reports for better collaboration and detailed analysis. To download a report, select any organization, go to the Outside-in tab, and choose the report from the dot menu.

SIG Core 2022

SIG Lite 2024

Generic Third Party Risk Assessment: Any organization can use this Questionnaire for Third party risk assessment.

We've added a Third Party Settings page where you can customize smart tiering and set risk tolerance for your organization. Adjust tiers based on criteria like business resources (Network, Data, and others) and risk levels, and rename or modify them as needed.

These settings are also shown in the filter columns:
a. Inherent Risk: Shows how critical (Tier 1, Tier 2, or Tier 3) the third party is to the enterprise, based on the business resources involved with them.
b. Residual Risk: Categorized by parameters of Likelihood or Loss Magnitude as defined in the Risk Threshold. If both Likelihood and Loss are above the threshold, the risk is High. If either is above the threshold, it’s Medium, and if both are below the threshold, it’s Low.