Risk Assessment And Risk Treatment

• 1. www.riesgoriskmanagement.com [email protected] assessment and risk treatmentwww.riesgoriskmanagement.comContentsIntroduction ............................................................................................................................................ 2Process overview .................................................................................................................................... 2Risk assessment initiation: project submission & initial survey ............................................................. 3The project registration form ................................................................................................................. 4The submitted project registration form ................................................................................................ 5Project register........................................................................................................................................ 7The risk assessment ................................................................................................................................ 8Project risk identification ........................................................................................................................ 9Information Asset risk assessment ....................................................................................................... 10Business impact assessment ................................................................................................................. 11Risk assessment of assets ..................................................................................................................... 12Risk management dashboards .............................................................................................................. 131

2. www.riesgoriskmanagement.com [email protected] document describes how www.riesgoriskmanagement.com ISO27001 compliance tool via itsrisk management function handles risk assessment and risk treatment. The following assumptionsare made:1. There is an Information security/compliance team in place2. There are business processes in place with the Project teams and business units to submit projects and business changes as and when they occur.3. There is a Risk Assurance forum in place to handle risks raised by the organisation on a periodic basis.4. There is a minimum security policy in place in which all projects, business changes have to adhere to.Process overviewThe diagram below depicts the process by which projects are submitted and assessed, have theirrisks mitigated as well as the risk management and assurance.2 3. www.riesgoriskmanagement.com [email protected] assessment initiation: project submission & initial surveyThe initial stage of risk assessment begins with project teams or business units submitting projects orbusiness changes for assessment. For the sake simplicity, we provide a web based forms whereproject managers, business units can submit their projects or change requests.In order not to overwhelm the system, we have a project survey; this form completed by the projectteam or business unit and provides all the relevant information about the project. The initial surveyis designed with rating system, depending on the selected entities, the project may score low orhigh.Low projects tend to be projects that either does not impact significant areas i.e. credit cards orconfidential data or indicative a project that even though it impacts significant areas has adopted thecorrect minimum level for compliance.In either case, the project is submitted to the information security team for review.The picture below shows the function the team leader to allocate project to a team of consultants.3 4. www.riesgoriskmanagement.com [email protected] project registration formThe form will be made available on your intranet to allow all business units regardless of theirgeographical location to be able to access the form and complete the project registration.4 5. www.riesgoriskmanagement.com [email protected] submitted project registration formOnce completed, the project results are displayed to the project team and an alert is sent to theinformation security/compliance team with an indication of the result.The Survey score indicates that the project has scored low.The fields can be changed to accommodate the specific requirements of your organisation and therisk ratings can be changed to also reflect to your risk appetite. The risk score can be high, mediumor low.All projects submitted can be viewed by the information security/compliance team and they candecide on which of the projects they wish to assess further. Traditionally, only medium and high riskprojects are further assessed.If the information security/compliance team have several members that share work, we have thefunctionality for the team leader role who will deal with allocating projects to teams members.5 6. www.riesgoriskmanagement.com [email protected] project with a high rating6 7. www.riesgoriskmanagement.com [email protected] registerThe project register submitted to the information security or compliance team provides the teamwith details of the project as well as the relevant for billing and time scale.The solution provides the team with the flexibility to provide their services to business units inremote locations and maintain the same level of assurance.Each project will also contain the full documentation set for the project either on teamrooms or asattachment, the documentations can include, PID, BRS, HLD and or LLD.7 8. www.riesgoriskmanagement.com [email protected] risk assessmentOnce the project has been assigned to a consultant, he or she would be able to pick up the projectand review the details as well as carry out the business impact assessment. This BIA framework canincorporate your current risk management templates.The project dashboard reveals to theconsultant the project details, the FRSsurvey carried out and he or she caninitiate the Business impact assessment.If the team operates a milestone approvalgate system, then the project milestoneswill also be available to the consultant forapproval on due dates.The reports are also available to the projectteam for review and feedbacks.The diagram below describes howThe consultant can add a new BIA as well as add stakeholders8 9. www.riesgoriskmanagement.com [email protected] risk identificationWhen the Consultant goes through the project documentation and has his or her meetings withthem to identify the intentions and proposals from the project, the tool provide the option toregister the risks identified in the project.The risk will identify the business impact, likelihood of occurrence as well as residual risks associatedwith the risk. The risk will be stored on the project risk register and reviewed periodically at eachproject milestone.The project register will be available to projects and information security/compliance teams toreview and mitigate. As each mitigation is addressed and approved, the risk register will be updatedto ensure there are no stagnant risks.9 10. www.riesgoriskmanagement.com [email protected] Asset risk assessmentEach information Asset is registered per business unit or organisation. The business unit can uploadtheir assets and either carry out their risk assessment based on Confidentiality, Integrity andavailability (CIA) using the standard risk matrix calculates the business impact assessment bydefining the business risk, likelihood of occurrence and residual risk.The picture below shows how an information security/compliance team can view all the informationassets from each business unit. When each business logs on, they will only be able to see their ownassets whilst the information security/compliance can see the entire organisation.If the information asset was completed by the business unit, the information security/complianceteam can review the information added and adjust accordingly or produce baseline policies fordealing with specific data for example, fraud, confidential or business sensitive assets.10 11. www.riesgoriskmanagement.com [email protected] impact assessmentThe consultants can initiate their Business impact assessment for the project either by uploadingtheir own BIA documents or if teamrooms are used setup a link to the central document repository.Once the BIA is uploaded,11 12. www.riesgoriskmanagement.com [email protected] assessment of assetsThe information asset can be edited to suit its current status. Each Asset is given an Asset ID anddetail description provided including, data input and output as well as with whom the informationasset is being shared.12 13. www.riesgoriskmanagement.com [email protected] management dashboardsThe tool provides several risk management dashboards depending on the desire of the organisationThe project dashboardAsset list13 14. www.riesgoriskmanagement.com [email protected] dashboard14