Panorays

Panorays automates third-party security. The platform provides organizations with a 360-degree view of the vendor that considers the business and technology relationships. Panorays' security rating reflects a continuous view of the vendor’s attack surface together with the vendor’s responses to an automated security questionnaire. Panorays is a SaaS-based platform, with no installation needed.

Release history

Last updated: August 2020

Overview of Panorays

Key features and benefits

Panorays integrates with Archer to provide additional Cyber Intelligence and Risk information. Panorays cyber assessment and questionnaire ratings are synchronized with Archer – giving Archer users a continuous cybersecurity overview for their managed Third Parties.

The Panorays integration allows you to:

• Synchronize cybersecurity risk, and posture ratings from Panorays to Archer.

• Synchronize questionnaire status and ratings from Panorays to Archer.

• Review Panorays third party information inside Archer.

• Schedule automated updates from Panorays.

Requirements

Components	Requirement
Archer Solution	Third Party Governance
Archer Use Case	Third Party Catalog
Archer Applications	Third Party Profile
Requires On-Demand License	No
Panorays	Panorys API TOKEN. If you do not have an API token, please contactsupport@panorays.com.

Integration notes

• The Panorays Suppliers data feed will only update existing Third Party Profile records in Archer. It will not create any new records, unless customized to do so.

• The integration uses the Archer “Third Party Name” field as the key identifier to match with Panorays “Supplier Name”. This will only match and update records based on this field.

Configure the Panorays integration

This section provides instructions for configuring Panorays with Archer. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All Panorays components must be working prior to the integration. Perform the necessary tests to confirm before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

Configure Archer

Task 1: Add fields to the third party profile layout

1. Panorays fields need to be added to the Third Party Profile application (Administration > Application Builder > Applications > Third Party Profile > Layout)

2. Create the following fields as Text fields and use the default field configuration. Panorays Risk Rating should be a values list field type.

Field Name	Field Type
Panorays Company ID	Text
Panorays Risk Rating	Values List Values: Bad, Poor, Fair, Good, Excellent
Panorays Posture Rating	Text
Panorays Inquiry Rating	Text
Panorays Inquiry Status	Text
Panorays Business Impact	Text
Panorays Created By	Text
Panorays Created Date	Text

3. Add an additional tab to the Third Party Profile layout and add the Panorays fields.

4. Save the Third Party Profile application.

Task 2: Import the Panorays_Suppliers data feed

1. Download the Panorays integration package from the Archer Exchange.

2. Administration > Integration > Data Feeds > Import. Select the Panorays_Suppliers dfx5 file.

3. General Tab - Change the status of feed from “Inactive” to “Active”.

4. Transport Tab > Data Request Properties > Head Parameters: Replace “--Enter Panorays API Token--” with your Panorays API token.

5. Data Map Tab - Map the source fields to the target fields:

Source Field	Target Field
name	Third Party Name
id	Panorays Company Id
risk	Panorays Risk Rating
posture_score	Panorays Posture Rating
inquiry_score	Panorays Inquiry Rating
inquiry_status	Panorays Inquiry Status
business_impact	Panorays Business Impact
insert_ts	Panorays Created Date
created_by	Panorays Created By

Note: OptionalIn the Data Map Tab > Update/Archive tab > You have the option to create new records or leave the default settings as update only. Doing so may create duplicate records if the Key field Definition in Archer “Third Party Name” does not match with a Panorays “Supplier Name”.

6. The Key Field Definition is pre-configured.

7. Save the Data Feed.

8. Test and configure the Data Feed schedule in the Schedule Tab.

Using the Panorays integration

The integration synchronizes Third Party cyber data from Panorays into the Archer Third Party Catalog. Each Third Party in Archer is populated with the Panorays high-level Supplier assessment information -

 

Panorays Risk Rating

Panorays’ Cyber Risk Rating is a combined “bottom-line” rating of all of the cyber data available about a supplier on Panorays, incorporating the Cyber Posture Rating, Security Inquiry Rating, and Business Impact.

Unique to Panorays, the Cyber Risk Rating enables security professionals to make quick decisions based on this bottom-line view of risk. Security professionals can use the Cyber Risk Rating as follows:

• The vetting process, including RFI and M&A, it can establish a threshold that suppliers need to meet to do business with a company. For example, a company may decide to work with suppliers with a minimum Cyber Risk Rating of “good.”

• To quickly identify significant changes in a supplier’s risk—including rating drop or critical findings — that companies need to act on.

• It serves as input for higher level risk platforms like RSA Archer.

The Cyber Risk Rating has five levels:

1. Bad

2. Poor

3. Fair

4. Good

5. Excellent

The Cyber Risk Rating is highly influenced by the evaluator-supplier relationship. The same supplier can have a different Cyber Risk Rating for different evaluators based on context. Unlike the Cyber Posture Rating, the Cyber Risk Rating is more dynamic, as it can be affected by periodic events such as critical findings and breach news.

The Cyber Risk Rating makes sure evaluators are focusing on the right suppliers at the right time. Reports can be created in Archer to show all the Vendors with a specific Panorays Cyber Risk Rating:

Panorays Posture Rating

This rating, from 0–100, reflects an overview of the third party’s cyber posture. This rating is a calculated average of ratings for each layer of the supplier’s digital perimeter. Specifically, ratings represent the cyber resilience of three layers:

• Network & IT – parameters involving web servers, mail servers, DNS, TLS, and more.

• Application – parameters involving technologies, application security, domain attacks, and more.

• Human – parameters involving social posture, presence of dedicated security team, and more. The Cyber Posture Rating provides an objective representation of the company’s attack surface.

Panorays Inquiry Rating and Status

This rating, from 0–100, is based on the third party’s responses to a customized security inquiry. The inquiry is a smart and automated questionnaire that is based on the business and technology relationship between the third party and the company.

The Panorays platform provides a built-in inquiry, or a company can use its own customized inquiry. The company may also decide on various weights for certain standards and which standards to mandate. The inquiry is an optional component in the Panorays platform, and the administrator can follow operational progress by using the “Inquiry Status” field.

Panorays Supplier Information

• Business Impact – Third Party impact on organization due to a cybersecurity incident.

• Company Id – Panorays unique identifier.

• Created By – Panorays user that added the supplier to the platform.

• Created Date – date supplier was added to the Panorays platform.

Certification environment

Date Tested: June 2020

Product Name	Version Information	Operating System
Archer	6.8	Windows
Panorays	NA	SaaS

Troubleshooting

1. Verify that your Panorays API token is valid -

   # curl -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" -X GET "https://api.panoraysapp.com/v1/suppliers"

2. Verify the Third Party Profile “Third Party Name” matches the Panorays “Suppliers Name” field in the API.

3. Check the Data Feed logs under the “Run Details” in the Schedule Tab, also check the log files on the Archer server.