Develop and Conduct Threat and Risk Assessments
If you don’t assess risk, you’re accepting it.
Onsite Workshop
Lack of risk assessments or informal risk processes can result in:
- Unintentional risk acceptance.
- Poor strategic planning of mitigating controls.
- Confusion about how one project’s risk relates to another.
A formal, standardized risk assessment process leads to:
- A defensible and repeatable risk assessment model.
- Security controls designed to prevent risk associated with a particular project.
- Informed risk decisions, rather than reliance on hunches.
Module 1: Establish the Risk Environment
The Purpose
- Build the foundation needed for a security risk management program.
- Define roles and responsibilities of the risk executive.
- Define an information security risk tolerance level.
Key Benefits Achieved
- Clearly defined roles and responsibilities.
- Defined risk tolerance level.
| Activities: | Outputs: | |
|---|---|---|
| 1.1 | Define the security executive function RACI chart. |
|
| 1.2 | Assess your organizational risk culture. |
|
| 1.3 | Perform a cursory assessment of management risk culture. |
|
| 1.4 | Standardize impact terminology. |
|
| 1.5 | Define frequency or impact thresholds outside of individual risk tolerance level. |
|
| 1.6 | Evaluate risk scenarios to determine risk tolerance level. |
|
| 1.7 | Optimize the sensitivity of your screening test. |
|
| 1.8 | Decide on a custom weighting. |
|
| 1.9 | Finalize the risk tolerance level. |
|
Module 2: Conduct Threat and Risk Assessments
The Purpose
- Determine when and how to conduct threat and risk assessments (TRAs).
- Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
- Developed process for how to conduct threat and risk assessments.
- Deep risk analysis for one or two IT projects/initiatives, as time permits.
| Activities: | Outputs: | |
|---|---|---|
| 2.1 | Determine when to initiate a risk assessment and which project/initiative will be assessed. |
|
| 2.2 | Review appropriate data classification scheme. |
|
| 2.3 | Identify system elements and perform data discovery. |
|
| 2.4 | Map data types to the elements. |
|
| 2.5 | Identify STRIDE threats and assign rankings. |
|
| 2.6 | Determine risk actions taking place and assign countermeasures. |
|
| 2.7 | Calculate mitigated risk severity based on actions. |
|
| 2.8 | Review results and form risk-based decisions. |
|
Module 3: Build a Security Risk Register
The Purpose
- Collect, analyze, and aggregate all individual risks into the security risk register.
- Plan for the future of risk management.
Key Benefits Achieved
- Established risk register to provide overview of the organizational aggregate risk profile.
- Ability to communicate risk to other stakeholders as needed.
| Activities: | Outputs: | |
|---|---|---|
| 3.1 | Begin building a risk register. |
|
| 3.2 | Identify risks and threats that exist in the organization. |
|
| 3.3 | Identify which stakeholders sign off on each risk. |
|
| 3.4 | Review the aggregate risk level of the entire organization. |
|
| 3.5 | Act upon risk results, depending on the aggregate level as it relates to the risk tolerance. |
|
| 3.6 | If necessary, revisit risk tolerance. |
|
| 3.7 | Plan for the future of risk management. |
|
Book Your Workshop
Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.
Book a Workshop View Blueprint