Risk assessment at Policy Exceptions

Go to solution
Kristoffer Pari
Tera Expert

‎09-25-2019 11:26 PM

Hi Community,

could someone explain why the "original" risk scores seems to be saved to related risks when Requesting Risk Assessment on a Policy Exception. 

There seems to be following fields (not visible on form) in the risk table that i can not figure out the usage for:

  • original_calculated_ale
  • original_calculated_score 
  • original_inherent_ale
  • original_inherent_aro
  • original_inherent_sle
  • original_residual_ale
  • original_residual_aro
  • original_residual_score 
  • original_residual_sle
  • original_response
  • original_score 

Than you in advance,

Kristoffer

0 Helpfuls
  • 2,147 Views
1 ACCEPTED SOLUTION

Go to solution
Phil Swann
Tera Guru
Tera Guru

‎10-19-2019 02:37 PM

Risk Assessment within Policy Exception is a bit abstract, at first...

 

Before you begin, you must imagine that you are fairly mature with both Controls and Risks - else, this feature is not really going to be of significant value.

 

So lets envisage a Profile/Entity of London Data Centre

 

You have several risks:

- Fire

- Flood

- Airplane disaster

 

 

Linked to the Fire risk, you have several controls:

- Fire extinguishers

- Training

- Fire drills

- Sprinklers

- Posters

 

 

Now, perhaps at this site - you have realised that the sprinklers are not working but you are due to repair them as part of a renovation project over the next 3 months. You need temporary relief on this control. Thus, Policy Exception (PER) comes into play. 

Perhaps an Issue is raised you cannot remediate, you need to accept the issue. Now we have a perfect entry point into PER.

The issue is directly related to a Control, which is tied to a Control Objective (nee Policy Statement).

 

upon selecting this issue, it populates the statement and also populates the impacted controls related list...

this then displays in the risk section, all risks which are associated with the control (Fire)

and then, in the mitigating controls related list you will see the OTHER controls for that risk, which provide protection against that risk.

 

great, so you can see the coverage. but you want to utilise risk assessment within PER, what does it do?

 

because the risk of Fire was assessed and scored based on ALL controls being implemented; or rather those controls are mitigating this risk - now we are asking for temporary relief, this means the control is not really implemented... we should probably re-assess the risk, taking account of the fact that this risk no longer has full coverage....

it will snapshot the scores as it stands, and then be re-assessed for the duration of the PER.

once PER is closed, it reverts back to original scores....

 

for me there are some nuances in this lifecycle, such as automated triggering of assessment process which perhaps should be refined. and this topic is very broad such that it is rarely covered even in the CIS exam.

 

I have a lot of conversations around this topic, and rarely are organisations quite ready to adopt it in full. But Risk Assessment in the context of PER, is all about assessing the existing Risks based on the approved gap in coverage, which is the net effect of the PER being approved. It makes total sense, but requires a fair amount of maturity upfront to be effective.

View solution in original post

15 REPLIES 15

Go to solution
Kristoffer Pari
Tera Expert
In response to Phil Swann

‎10-20-2019 10:50 PM

Hi,

thank you for the exceptional answer! I't seems that you have seen some implementations of this. Do you usually go by assessing the risk manually or do you go with some automation?

Br,

Kristoffer

0 Helpfuls

Go to solution
Phil Swann
Tera Guru
Tera Guru
In response to Kristoffer Pari

‎10-21-2019 01:00 AM

Hi, thanks for feedback.

I am not sure what you mean by assessing the risk in this context. Because in SN GRC, the risk assessment is performed as a questionnaire to gather evidence. The results of the assessment instance do not automatically update the risk scores. The scores are manually set, based on the evidence gathered. 

The main way I see to perform an assessment automatically, is creating some logic to interpret the results of the assessment instance - and update the risk scores - but this brings with it additional complexity. 

 

If you are referring to the use of risk indicators, I would not refer to this as 'assessment', more like 'monitoring'.

 

It probably warrants another thread but I hope my reply was still useful.

0 Helpfuls

Go to solution
Kristoffer Pari
Tera Expert
In response to Phil Swann

‎10-21-2019 01:33 AM

Hi,

thank you for your answer but what i'm after is that how PER risk assessment relates to PER related risks, because there are fields in the PER ticket related to risk scoring but they do not update anything on the related risks. 

I'm trying to figure out the "most correct way" of doing the risk assessment on a PER ticket.

 

Hope this made it clearer.

Br,

Kristoffer

0 Helpfuls

Go to solution
Eric Feron
Moderator
Moderator
In response to Phil Swann

‎10-21-2019 09:20 AM

Thank you Phil!! Impressive answer and contribution!

I gave you an additional 50 points. 🙂

0 Helpfuls

Go to solution
SanjivMeher
Kilo Patron
Kilo Patron
In response to Phil Swann

‎06-15-2020 04:08 PM

Hi Phil,

 

Do you know, if there is an OOB option to link an exception to a risk when risk is accepted?

We don't want to use the OOB Risk Acceptance Task. Instead we want to create an exception when risk is accepted. 

Did you have had such scenario in your projects?


Please mark this response as correct or helpful if it assisted you with your question.
0 Helpfuls