Maintaining a risk register and conducting a periodic risk assessment is a CRITICAL REQUIREMENT of all compliance certifications. Periodic risk assessment and risk mitigation by mapping appropriate controls and policies also demonstrate your business's advanced cybersecurity maturity.
TABLE OF CONTENTS
- Create a Risk
- Import From Master List (Optional)
- Upload from File
Create a Risk
1. Go to Risks > Risk Register
2. Click on Add Risk and enter details for the Risk.
- Name - Provide an appropriate name to help identify the Risk.
- Business Impact - Consequences that can arise if the risk is not mitigated.
- Status- Choose from the following values.
- Accepted - The risk applies to the business and will need appropriate controls and policies to address it.
- Mitigated - The risk applies to the business but has been mitigated with existing controls and policies.
- Closed - This risk does not apply to the business.
- Transferred - The risk applies to the business, but the enforcement of controls and policies has been transferred to a Third-party.
- Owner - Identity an owner responsible for mitigating the risk
- Impact Area - Select the appropriate impact area.
- Vulnerabilities, Threats, and Security Controls - Use the search functionality to link available vulnerabilities, threats, and security controls.
- Likelihood - The possibility of the risk impacting the business. Possible values for likelihood are Rare, Unlikely, Possible, Likely, and Certain.
- Impact Score - Score signifies the potential effect the risk has on the business, should it occur. Possible values for impact score are Negligible, Marginal, Significant, Critical and Catastrophic.
3. Click Save.
Import From Master List (Optional)
1. Go to Risks > Add Risks > From Library
2. Click on Import from Master.
3. Use Select All, for choosing all the risks available to import. Or choose the risks that apply to your business and click Import.
Upload from File
1. Go to Risks > Add Risks > From file
2. Upload a CSV file that contains risk information.
3. Click Next.
4. Map the column header names to the appropriate risk attributes and click Next.
5. Click on Start Import
6. Review the imported risks on the Risk Register page.
Vulnerabilities are unaddressed weaknesses that will leave the IT system, physical office local, or software system susceptible to attack. Identifying and fixing vulnerabilities is an important part of Risk management for any business.
1. Go to Risks > Vulnerabilities
2. Click on Create.
3. Provide appropriate details to create a Vulnerability.
- Name - Provide a suitable name for the vulnerability.
- Status -
- Applicable - The vulnerability is applicable to the business.
- Not-Applicable - The vulnerability is not applicable to the business.
- Draft - The vulnerability is still being defined.
- Description - Provide an appropriate description for the vulnerability.
- Risk - Search and link the risk to the vulnerability.
4. Click Create Vulnerability.
Import Vulnerabilities From Master List
1. Go to Risks > Vulnerabilities
2. Click on Vulnerabilities and then click on Create.
3. Enable Vulnerabilities that apply to the business.
4. Go back to the Vulnerabilities page to Review.
According to SP800-160, a threat is An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.
1. Go to Risks > Threats
2. Click on Create Threat, enter the appropriate details.
- Threat name - Provide a suitable name to the threat.
- Applicable - The threat is applicable to the business.
- Not-Applicable - The threat is not applicable to the business.
- Draft - The threat is still being defined.
- Threat Source - According to NIST.SP.800-128, a threat source is a method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent.
- Risk - Search and link a Risk to the threat.
3. Go back to the Threats page to Review.
1. Go to Risks > Categories
2. Click on Create, enter the appropriate details.
- Category name - Provide a suitable name for the category.
- Applicable - The category is applicable to the business.
- Not-Applicable - The category is not applicable to the business.
- Draft - The category is still being defined.
- Risk - Search and link a Risk to the category.
3. Go back to the Categories page to Review.
1. Go to Risks > Assets
A sample data file is available for download.