Table of Contents
Summary
The Whistic Profile provides valuable insights into a vendor's security posture for customers. However, locating specific control-related information may still be time-consuming, as customers need to carefully review the profile's information and documentation to find the most relevant details.
What is the Whistic Assurance Center?
The Whistic Assurance Center is a structured compilation of information from a Whistic Profile, organized following the Whistic Control Framework. Its purpose is to assist Profile recipients in efficiently locating pertinent information, facilitating quick responses to inquiries, and potentially eliminating the necessity of filling out an extra questionnaire.
NOTE: The Whistic Assurance Center is a feature of the Whistic Profile, which is currently exclusive to paid subscription Profiles and not available for snapshot or unpaid Profiles. Profile owners can choose to include the Assurance Center in their Profile and manage its visibility.
The Assurance Center has three layers:
- Domains
- Subdomains
- Controls
- Domains are the highest level and can have one or multiple subdomains. They represent a broader category that defines the type of subdomains or topics included within the domain. The number of subdomains that can be viewed is indicated by a number next to the domain name in each row. To see the subdomains within a domain, the user needs to click on the respective domain row.
- Subdomains are like a second layer where each one represents a single control. Users can view the compliance status of each subdomain by looking at a dot placed to the left of the subdomain name.
- Controls are the third layer and are displayed in a right-hand sidebar. To view a control, click on a subdomain and the right-hand sidebar will appear with the control within. There is a one-to-one relationship between subdomains and controls.
Control Sidebar
When a subdomain is clicked, a right-hand sidebar will appear with the following information
- Name of the Control;
- Description of the Control;
- Compliance Status.
The name of the control and the description of the control will appear at the top of the sidebar above the compliance status.
Compliance
The compliance status will display the status of compliance as selected by the Profile owner.
There are four status types for the compliance
- Compliant: dot is displayed in green;
- Not Compliant: dot is displayed in red;
- Not Applicable: dot is displayed in gray;
- No Dot: the profile owner has not selected a compliance status.
Evidence
Below the compliance status, the Evidence will be displayed. The evidence will contain the information added by the Profile owner to give additional detail and context for this control.
Evidence can be comprised of any of the following:
-
Additional Documentation Links:
If the profile owner chooses to show a questionnaire answer in the Evidence section, they might also choose to display links to additional documentation that is attached to the same questionnaire as the displayed answer. -
Comments:
Comments are additional information that the Profile owner has manually added to give more detail. -
Hyperlinks:
The Profile owner can also include hyperlinks to additional documentation or information within the Comment section.
You can remove evidence by first clicking the 'Edit' button at the top of your Whistic profile:
Next, you will uncheck the checkbox next to 'Source' if you want to remove a piece of evidence from the Assurance Center.
You can hit 'Done' at the top when you're all finished.
Steps
How to Setup the Assurance Center
To establish the Assurance Center for a specific Whistic Profile, the user needs to have the role of Whistic Administrator and the Profile must be a paid subscription. The Assurance Center feature is not accessible for unpaid or snapshot Profiles.
To configure the Assurance Center, go to the Whistic Profile you want to set it up for and select Edit Profile in the upper right. By default, the Assurance Center is turned off, indicated by the toggle switch on the right side.
Click the arrow next to the on/off toggle to expand the Assurance Center and view all the available domains and subdomains.
Visibility Toggles
You can control which sections of the Assurance Center are visible, enabling you to display only the information you want to see. The following describes how the different toggles work.
Assurance Center Top Level Toggle
Located at the top of the Assurance Center, this controls whether any of the Assurance Center will or will not appear on your profile. This is set to “OFF” by default.
Domain Toggles
You can manage which domains are displayed on your profile. To be visible, a domain must have at least one subdomain enabled, and that subdomain must have either compliance status, comment, or questionnaire answer added and the toggle switched to the ON position.
Each domain has its own toggle, turning a domain toggle off will also make all subdomains contained within that domain not visible on your Profile.
Subdomains
You can choose which subdomains are displayed on your profile. To make a subdomain visible, it needs to have at least one of the following: compliance status, comment, or questionnaire answer added, and the toggle must be switched to the ON position.
To prevent a subdomain from showing on your profile, you can add compliance status and evidence to it and toggle it off. This way, you can edit and update the evidence and compliance status without them being immediately visible.
Control Sidebar
In the Control Sidebar you can select a compliance status for the selected Control from the dropdown menu.
Comments and Hyperlinks
If you cannot find a suitable response from a standard questionnaire to support a specific control, you can provide extra details in the Comments section.
- Check the box next to the Comment to include the Comment information in Evidence.
- You can also include hyperlinks to additional information in the comment section.
FAQ
-
Why isn't this feature enabled or showing on my profile?
- There could be a few reasons:
- Your company or user may not have the proper permissions.
- The profile type may be snapshot, etc.
- (Rare) You may have an IT restriction on your side that blocks this Whistic feature (e.g. proxy tool Zscaler). Please review your IT whitelists and blacklists.
- There could be a few reasons: