top of page

Knowledge Base

User Management - Auditors


What are the user roles in the audit function, and how to add a new auditor?


The auditor role is managed by the dedicated audit function provided by internal audit departments or external consulting companies.


The auditor's role is limited to viewing only the assessment reports submitted by their clients. It is the only role permitted to finalise an assessment or change a response submitted by the client and/or their associated third-party suppliers if they are unsatisfied with the supporting artefacts.


The audit team can be managed by a dedicated lead auditor assigned by the Secure Forte team. 


There are two roles within the audit function:


  • Lead Auditor—The lead consultant/auditor is the key representative from the internal or external audit function. When a customer/supplier submits the assessment, the platform communicates the evaluation results with the dedicated lead auditor/consultant. The lead can access the auditor control panel, add/remove auditors, and assign them to different clients. The lead can also supervise the audit/consulting engagement.


  • Auditor—This role is for the auditor/consultant, who can view the assessment results and verify the evidence relevant to the assessment outcome. This role is the only authorised entity that can change a customer response.


The Lead Auditor role can only be assigned by the Secure Forte team.


To add a new auditor, the dedicated lead auditor should log in to the Secure Forte portal, click the Auditors Control Panel, and then click the Add Auditors button. Once the auditor is added, under the Auditor Panel, click on the engagement that you want to assign to the auditor and in the Update Auditor box, select the auditor and click the Confirm button. 

Risk Dashboard


What is the Risk dashboard, and how is the risk calculated?


The Risk dashboard provides a proactive and risk-based view of the current state of Information Security and Data Privacy controls.


The risk is a close correlation of three components identified in the Secure Forte platform: primary asset, threat profile, and control capability:


1) Primary Asset: These are primary assets identified and purchased by the organisation. A primary asset is an asset that is essential to a business's core operations. These assets are typically used to generate revenue and are crucial for the entity's functioning and success. A primary asset could be a technology, a critical function, or a subsidiary of the organisation.


2) Threat Profile: The threat profile results from a comprehensive analysis conducted by the Secure Forte platform to identify and evaluate the various threats an organisation might face. This profile helps understand the potential risks and vulnerabilities specific to the organisation, enabling better preparation and defence strategies. The threat profile is calculated using the organisational context identified on the Business Profile page and the platform’s threat intelligence sources.


3) Control Capability: In the context of the Capability Maturity Model (CMM), control capability refers to an organisation's ability to manage and control its processes effectively. This involves ensuring that processes are performed consistently, documented, monitored, and measured. The CMM framework provides a structured approach to process improvement and defines several levels of capability:


  • 0 - Non-Existence: There is no evidence of this standard or practice in the organisation.


  • 1 – Initial: The organisation has an ad-hoc and inconsistent approach to this standard or practice.


  • 2 - Repeatable: The organisation has a consistent overall approach, but it is mostly undocumented.


  • 3 – Defined: The standard or practice has been documented and communicated through training, but there are areas where the required detail is lacking, not enforced, or not actively supported by Senior Management.


  • 4 – Managed: The organisation measures its compliance and improves processes regularly.


  • 5 – Optimised: Proactive process improvement is implemented through effective leadership, change management, continual improvement, and feedback.


The risk calculation would consider the organisation’s Information Security Risk matrix, which should be data entered by Secure Forte’s support team.


The source of risk includes:


  • Regular audits/assessments that are conducted by Secure Forte’s independent assessors against the organisation and its primary assets.

  • Threat intelligence findings using Secure Forte’s Open Source Threat Intelligence (OSINT) feeds.

  • Supply chain risk findings.

Vendor Risk Management - Clients


How to add, modify, or delete a supplier?


Adding a Supplier

To add a new supplier, please browse to the Vendor Risk Management page and click the Add Supplier button.


The Supplier Profile Page includes the fundamental information you should include when adding a new supplier. As an intelligent and data-driven platform, the solution will use the information on the Supplier Profile page to determine the supplier's criticality.


The Supplier Profile page includes the following fields:

  • Supplier Name.

  • Industry.

  • Onboarding Date (optional).

  • Expiry Date (optional).

  • Contact Name.

  • Contact Email Address: This contact will be automatically enrolled on the platform. Once logged in to the Secure Forte platform, the contact can add other members from his/her team to respond to assessment questionnaires communicated by the platform.

  • Contact Phone Number.

  • Public Domain (optional): The platform's threat intelligence feeds will use the supplier’s public domain to assess the supplier’s external attack exposure and potential dark web findings.

  • Supplier’s Contract.

  • Data Access (categories of data that the supplier accesses).

  • Connected Primary Assets: These are your company’s Primary Assets accessed or affected by the supplier.

  • Should the audit function review the evidence of control implementation? We recommend responding “Yes” to this question when assessing risks associated with high-impact suppliers.

  • How Easy is it to replace the Supplier?

  • Additional Comments (optional).


By clicking the Submit button, a new statement reflecting the supplier’s exposure tier will appear. The platform automatically calculates the preselected option based on the data entered in the Supplier Profile form; however, the user can manually change the exposure tier.


Please click the Submit button again, and the supplier will be added to the platform.


Deleting a Supplier

To delete a supplier, find the supplier you want to delete on the Vendor Risk Management page and click the "X" button next to its name. 


Modifying a Supplier

To modify a supplier, find the supplier whose details you want to modify on the Vendor Risk Management page and click the pen symbol button next to its name. 

bottom of page