ZCSPM enables organizations to monitor their cloud security posture with more than 2500 security policies. The risk dashboard (Dashboard > Risk) provides insight into your organization's risk posture. ZCSPM uses the ISO 27005 framework to prioritize risk levels based on impact and likelihood. All violated security policies are separated into high, moderate, or low risk enabling you to focus on solving high risk misconfigurations first.

ZCSPM determines your organization's risk posture based on the following two parameters:

• Risk Impact: ZCSPM determines the risk impact for every security policy based on common reasons of past security breaches and cloud security best practices provided by cloud service providers. Risk impact can take any of the following values:
  • Very Low
  • Low
  • Moderate
  • High
  • Critical
• Risk Likelihood: ZCSPM determines risk likelihood based on the percentage of cloud assets which are failing a certain security policy, the security policy status, and the risk impact. Risk likelihood can take any of the following values:
  • Not Likely
  • Low
  • Moderate
  • High
  • Certain

Undetermined security policies are policies for which ZCSPM cannot collect configuration metadata.

About the Risk Dashboard Page

The risk dashboard contains the following widgets that present data in interactive charts, so you can instantly jump from a chart to a benchmark such as CSBP for more details:

1. Risk Assessed based on CSBP controls shows the total risk controls and number of risk controls across the following:
   • High Risk Controls

     High risk controls are security policies which have the following risk impact and risk likelihood.

     Risk Likelihood	Risk Impact
     Certain	Moderate, High, Critical
     High	High, Critical
     Moderate	Critical

     Close
   • Moderate Risk Controls

     Moderate risk controls are security policies which have the following risk impact and risk likelihood.

     Risk Likelihood	Risk Impact
     Certain	Very Low, Low
     High	Very Low, Low, Moderate
     Moderate	Low, Moderate, High
     Low	Moderate, High, Critical
     Not Likely	High, Critical

     Close
   • Low Risk Controls

     Low risk controls are security policies which have the following risk impact and risk likelihood.

     Risk Likelihood	Risk Impact
     Moderate	Very Low
     Low	Very Low, Low
     Not Likely	Very Low, Low, Moderate

     Close
   You can also view the percentage of change in risk controls from the ZCSPM's last configuration metadata scan. If you'd like to be notified when ZCSPM detects a drift in your organization's risk posture, see Creating Drift Notifications.
2. Policy Risk Matrix is based on the ISO 27005 standard which displays the number of security policies and their risk level with color by plotting a matrix of risk likelihood and risk impact. High risk policies are red, moderate risk policies are amber, and low risk policies are yellow. You can click on any field in the matrix. ZCSPM will then redirect you to the Cloud Security Best Practices page where you can view the security policy details pertaining to that risk.

You can view the policy risk matrix for all accounts, but cannot click the fields to view the security policy details.

3. Risk Categorization is based on the NIST CSF v1.1 standard which displays the percentage of security policies over high, moderate, and low risk levels for specified categories.
4. Risk Level Trend shows the percentage change of high, moderate, and low risk security policies over a week.