Enterprises often rely on one or more vendors for their information security needs. Information security can include preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, and/or destruction of data (e.g., user data, customer data, business data). Information security can include identification of assets (e.g., data sources), threats, vulnerabilities, impacts, and possible controls, followed by assessment of the effectiveness of data security measures. However, this information often lies with the vendors that provide data security services, leaving enterprises with only a partial picture of data security operations, and effectiveness. In some instances, enterprises may have insight into data security operations, but have no effective channel for externally leveraging this information.