- 1. www.riesgoriskmanagement.com
[email protected] assessment and risk
treatmentwww.riesgoriskmanagement.comContentsIntroduction
............................................................................................................................................
2Process overview
....................................................................................................................................
2Risk assessment initiation: project submission & initial
survey
............................................................. 3The
project registration form
.................................................................................................................
4The submitted project registration form
................................................................................................
5Project
register........................................................................................................................................
7The risk assessment
................................................................................................................................
8Project risk identification
........................................................................................................................
9Information Asset risk assessment
.......................................................................................................
10Business impact assessment
.................................................................................................................
11Risk assessment of assets
.....................................................................................................................
12Risk management dashboards
..............................................................................................................
131
2. www.riesgoriskmanagement.com
[email protected] document describes
how www.riesgoriskmanagement.com ISO27001 compliance tool via
itsrisk management function handles risk assessment and risk
treatment. The following assumptionsare made:1. There is an
Information security/compliance team in place2. There are business
processes in place with the Project teams and business units to
submit projects and business changes as and when they occur.3.
There is a Risk Assurance forum in place to handle risks raised by
the organisation on a periodic basis.4. There is a minimum security
policy in place in which all projects, business changes have to
adhere to.Process overviewThe diagram below depicts the process by
which projects are submitted and assessed, have theirrisks
mitigated as well as the risk management and assurance.2 3.
www.riesgoriskmanagement.com [email protected]
assessment initiation: project submission & initial surveyThe
initial stage of risk assessment begins with project teams or
business units submitting projects orbusiness changes for
assessment. For the sake simplicity, we provide a web based forms
whereproject managers, business units can submit their projects or
change requests.In order not to overwhelm the system, we have a
project survey; this form completed by the projectteam or business
unit and provides all the relevant information about the project.
The initial surveyis designed with rating system, depending on the
selected entities, the project may score low orhigh.Low projects
tend to be projects that either does not impact significant areas
i.e. credit cards orconfidential data or indicative a project that
even though it impacts significant areas has adopted thecorrect
minimum level for compliance.In either case, the project is
submitted to the information security team for review.The picture
below shows the function the team leader to allocate project to a
team of consultants.3 4. www.riesgoriskmanagement.com
[email protected] project registration formThe form
will be made available on your intranet to allow all business units
regardless of theirgeographical location to be able to access the
form and complete the project registration.4 5.
www.riesgoriskmanagement.com [email protected]
submitted project registration formOnce completed, the project
results are displayed to the project team and an alert is sent to
theinformation security/compliance team with an indication of the
result.The Survey score indicates that the project has scored
low.The fields can be changed to accommodate the specific
requirements of your organisation and therisk ratings can be
changed to also reflect to your risk appetite. The risk score can
be high, mediumor low.All projects submitted can be viewed by the
information security/compliance team and they candecide on which of
the projects they wish to assess further. Traditionally, only
medium and high riskprojects are further assessed.If the
information security/compliance team have several members that
share work, we have thefunctionality for the team leader role who
will deal with allocating projects to teams members.5 6.
www.riesgoriskmanagement.com [email protected] project
with a high rating6 7. www.riesgoriskmanagement.com
[email protected] registerThe project register
submitted to the information security or compliance team provides
the teamwith details of the project as well as the relevant for
billing and time scale.The solution provides the team with the
flexibility to provide their services to business units inremote
locations and maintain the same level of assurance.Each project
will also contain the full documentation set for the project either
on teamrooms or asattachment, the documentations can include, PID,
BRS, HLD and or LLD.7 8. www.riesgoriskmanagement.com
[email protected] risk assessmentOnce the project
has been assigned to a consultant, he or she would be able to pick
up the projectand review the details as well as carry out the
business impact assessment. This BIA framework canincorporate your
current risk management templates.The project dashboard reveals to
theconsultant the project details, the FRSsurvey carried out and he
or she caninitiate the Business impact assessment.If the team
operates a milestone approvalgate system, then the project
milestoneswill also be available to the consultant forapproval on
due dates.The reports are also available to the projectteam for
review and feedbacks.The diagram below describes howThe consultant
can add a new BIA as well as add stakeholders8 9.
www.riesgoriskmanagement.com [email protected]
risk identificationWhen the Consultant goes through the project
documentation and has his or her meetings withthem to identify the
intentions and proposals from the project, the tool provide the
option toregister the risks identified in the project.The risk will
identify the business impact, likelihood of occurrence as well as
residual risks associatedwith the risk. The risk will be stored on
the project risk register and reviewed periodically at eachproject
milestone.The project register will be available to projects and
information security/compliance teams toreview and mitigate. As
each mitigation is addressed and approved, the risk register will
be updatedto ensure there are no stagnant risks.9 10.
www.riesgoriskmanagement.com
[email protected] Asset risk assessmentEach
information Asset is registered per business unit or organisation.
The business unit can uploadtheir assets and either carry out their
risk assessment based on Confidentiality, Integrity andavailability
(CIA) using the standard risk matrix calculates the business impact
assessment bydefining the business risk, likelihood of occurrence
and residual risk.The picture below shows how an information
security/compliance team can view all the informationassets from
each business unit. When each business logs on, they will only be
able to see their ownassets whilst the information
security/compliance can see the entire organisation.If the
information asset was completed by the business unit, the
information security/complianceteam can review the information
added and adjust accordingly or produce baseline policies
fordealing with specific data for example, fraud, confidential or
business sensitive assets.10 11. www.riesgoriskmanagement.com
[email protected] impact assessmentThe
consultants can initiate their Business impact assessment for the
project either by uploadingtheir own BIA documents or if teamrooms
are used setup a link to the central document repository.Once the
BIA is uploaded,11 12. www.riesgoriskmanagement.com
[email protected] assessment of assetsThe
information asset can be edited to suit its current status. Each
Asset is given an Asset ID anddetail description provided
including, data input and output as well as with whom the
informationasset is being shared.12 13.
www.riesgoriskmanagement.com [email protected]
management dashboardsThe tool provides several risk management
dashboards depending on the desire of the organisationThe project
dashboardAsset list13 14. www.riesgoriskmanagement.com
[email protected] dashboard14