Risk

Information Systems — An Information System is an application, process, or physical device that interacts with secure information. E.g. “Email Server”.

• Create a Blank Information System — Start by building out an Information System from scratch
• Create an Information System from Template — Use a Pre-Built Template for common Information Systems
• Create Information Systems from CSV File — Import Information Systems with existing data using a CSV file
• Assign a Point of Contact to an Information System — Information Systems may be assigned System Owners and System Admins.
• Set Availability Rating for a System — The Upper and Lower Availability ratings are used for determining the potential Impact of an Information System

Information Assets — An Information Asset represents a particular type of data that is being evaluated in the Risk Assessment. Information Assets are evaluated per-record and may carry inherent Confidentiality and Integrity risks.

• Adjust Information Assets for a System — Information Assets are associated with Information Systems and are used in calculating the System impact ratings.

Key Risk Indicators — A Key Risk Indicator (KRI) represents a negative scenario that could occur for an Organization. KRIs have an annual rate of occurrence and are used to estimate inherent and residual Risk using Monte Carlo Analysis.

• Attach and Remove Key Risk Indicators for an Information System — A user can add or remove Key Risk Indicators for an information System.
• Create a Key Risk Indicator — A user can create a Key Risk Indicator, which will be applicable to all Information Systems in an Organization.

Risk Controls — Risk Controls represent something that an Organization does to reduce the likelihood of a Risk occurring.

• Risk Control Strength and Implementation Ratings — Risk Sub-Controls each have a Strength Rating and an Implementation Rating. Both contribute to the overall effectiveness of a Risk Control Category. Strength Rating - Maximum percentage that a Control will reduce the likelihood of a risk occurring Implementation Rating - Percentage representing how well a Control is implemented across the whole Organization The total effectiveness is equal to the Strength Rating multiplied by the Implementation Rating Effectiveness = Strength * Implementation Each Rating can be edited on Risk Sub-Controls, which will in turn affect a Category’s total effectiveness. This can be seen in the details of each Category:
• Risk Sub-Controls — Risk Sub-Controls are each individual measure taken to address a negative scenario that put an Organization at Risk. They are critical in assessing the risk of an Information System. e.g. A network firewall is in place. Each Sub-Control has an Implementation and Strength Rating to rate its effectiveness. Risk Sub-Controls can be linked to Evidence compliance or outsourced to a Vendor Sub-Control. Updates to those resources automatically update the Risk Sub-Control.
• Set a System Sub-Control to "Non-Standard" — The Implementation Rating of a Non-Standard Risk Control is calculated separately from the Organization-level Risk Controls and carries it’s own Cost that factors into the Return on Investment calculations.
• Risk Control Categories — A Risk Control Category is a grouping of similar Risk Sub-Controls that address a Key Risk Indicator. Ex. Granting access based on least privilege and requiring password complexity both address the Key Risk Indicator “Unauthorized Application Access”. A user cannot directly create a Risk Control Category the same way they would create a Sub-Control. They are automatically created when a new Key Risk Indicator is made. To Create a Key Risk Indicator
• Create a Risk Sub-Control — A user can create a Sub-Control within a Risk Control Category.
• Link an Evidence to a Risk Sub-Control — A User can attach an Evidence to a Risk Sub-Control to use in the Implementation Rating. The Implementation Rating is affected automatically based on the Evidence’s status. Each attached Evidence is weighted evenly along with linked Vendor Controls. e.g. Two in place Evidences, one in place and audited Vendor Control, and one Expired Evidence will result in a 75% Implementation Rating
• Link a Vendor Control to a Risk Sub-Control — A User can link a Vendor Control and Risk Sub-Control. When the Vendor Control is set to in place and audited in a Vendor Review, it increases the Implementation rating of the linked Risk Sub-Control. The controls can be linked through the Risk module and the Vendor module.

Risk Recommendations — The potential impact of a change to a Risk Control can be estimated using Monte Carlo analysis. A what-if scenario will be ran that compares the residual risk before and after the implementation change.

• Create a Risk Recommendation — Propose a change to a Risk Control across the entire Organization or for a specific Information System The user may make a Risk Recommendation on a Non-Standard Control for a System If making a Recommendation on a Standard control for a System, the Recommendation is made across all Systems with that Standard Control.