Page Comparison

Overview

These instructions provide information to do any or all of the following:

• Get started immediately with default, ready-made settings.

• Incorporate a collection of industry-approved methods and registers for a more robust risk management program.

• Customize risk settings to create your own program within ZenGRC.

• Employ a mix of default and customized elements to suit your organization's needs.

Accessing the Risk Settings Page

To access the area that allows customization of the risk heatmap, complete the following steps:

1. Click Settings | Risk Settings.
   
   Image Added
   
   

2. The Risk Settings home page displays.
   
   Image Added
   

What Are Factors, Vectors and Scores?

ZenGRC provides components called factors and vectors to calculate risk scores.

• Factors - Term used in calculating vectors (i.e. Impact * Likelihood = Inherent Risk, where Impact and Likelihood are the factors contributing to the overall Inherent Risk score, which is a vector).

• Vectors - Term used to measure risk types within an organization (i.e. Inherent Risk).

• Scales - The combination of factors and vectors to rank risks.

Risk vectors are a function of factors as follows:

Risk Vectors = Fx(Factors)  

The Impact vector could be as simple as single score on a scale of 1-5, or it might be a combination of various scales already defined. For example, Impact may equal the sum of financial impact, operational impact, and privacy impact together.

A simple way to remember risk score is that it is a function of vectors as follows: 

Risk Score = Fx(Vectors)

To calculate inherent risk, an option would be to multiply Impact with Likelihood:

Inherent Risk = Impact * Likelihood

Then find the Residual Risk by using the product of Impact and Likelihood to made up your Inherent Risk, and then factor in the Control Strength as the divisor. The residual risk is the remainder as shown below:

Residual Risk = Impact * Likelihood/Control Strength

ZenGRC Default Settings

To get you started, your instance already contains simple, preset factors and vectors to use in their entirety or to configure as needed. This section provides basic definitions. You will learn how to create or alter them in the next documentation sections. 

Factors

The default factors in ZenGRC are labeled as Impact, Likelihood, Residual Impact, and Residual Likelihood. You can configure the scale based on your desired risk calculation profile, and make them as complex or simple as your organization needs.These factors have default , with options of Very Low (1), Low (2), Moderate (3), High (4), Very High (5). This scale will give you , which provides a simple method for scoring and calculating risk: risks that you deem as having a high impact to your organization (5) and Moderate Likelihood (3) will have a higher risk score than a Low residual impact (2) and Moderate Likelihood (3) risk object.Image Removed

Utilizing Preset Calculations and Registers

Options to incorporate into your risk program are found on the Risk Settings page, under the Content tab.
Image Removed. However, you can make them as complex your organization needs.

Image Added

Vectors

ZenGRC default options for vectors include Impact, Likelihood, Residual Impact, and Residual Likelihood. As with the factors, vectors have predetermined threshold ranges from very low to very high, and can be customized as needed.

Image Added

Scores

Additionally, there are default scores that include Inherent Risk and Residual Risk. The calculations and ranges are easily viewed for each score and can be customized.

Image Added

Incorporating a Calculation Method

Making a selection under Calculation Methods automatically creates factors, vectors and scores needed to calculate risks.

The methods to chose from include the following:

• Basic Risk - A risk calculation method

  composed of two risk scores - Inherent and Residual. The former is used to calculate the initial risk score, and the latter is used to calculate the risk score after remediation processes.
• RISQ Simplified - This Enterprise Risk Management (ERM) assessment process has been developed by RISQ Management LLC to allow for scalable implementation of a Risk Management System.  The system is designed to start in a single department or organization, and then scale to cover the complete enterprise. The system uses three vectors (Impact, Likelihood, Avoidance) and six factors (Financial Impact, Velocity, Possibility, Importance, Control Strength, Responsiveness) to calculate inherent and residual risk. 
• CIS-RAM Simplified - This assessment method is based on the CIS-RAM model, published by the Center for Internet Security.  This system uses impact and likelihood to calculate residual (current) risk level. This model takes into account mission impact and obligation impact to determine the maximum risk score.
  Image Removed

  composed of two risk scores - Inherent and Residual. The former is used to calculate the initial risk score, and the latter is used to calculate the risk score after remediation processes.

• RISQ Simplified - This Enterprise Risk Management (ERM) assessment process has been developed by RISQ Management LLC to allow for scalable implementation of a Risk Management System.  The system is designed to start in a single department or organization, and then scale to cover the complete enterprise. The system uses three vectors (Impact, Likelihood, Avoidance) and six factors (Financial Impact, Velocity, Possibility, Importance, Control Strength, Responsiveness) to calculate inherent and residual risk. 

• CIS-RAM Simplified - This assessment method is based on the CIS-RAM model, published by the Center for Internet Security.  This system uses impact and likelihood to calculate residual (current) risk level. This model takes into account mission impact and obligation impact to determine the maximum risk score.

Previewing a Method

To preview the calculations in a method, complete the following steps:

1. On the Risk Settings page, click the Content tab.

2. In the Calculation Methods section, click the linked title of each method.
   
   

   Image Added

   
   
   

3. The calculations for the method are displayed.
   
   

   Image Added

   
   
   

4. Click the X in the top, right to close.

Adding a Method

To adopt a calculation method from one of the options, complete the following steps:

1. On the Risk Settings page, click the Content tab.

2. In the Calculation Methods section,

   select

   select the radio button for one of the methods.
   
   

   Image Added

   
   
   

3. Click Add.

Incorporating a Risk Register

These risk registers create a full list of risks for your organization to track. The categories available risk registers include the following:

RISQ Management Enterprise Risk Register - An enterprise/departmental risk register compiled by RISQ Management LLC from a comprehensive set of risk studies and standards including the North Carolina State Enterprise Risk Management study, the Verizon Data Breach Investigations report, NIST 800-53 and PWS Third-Party Risk Management report.

This register should be used as a basis to start identifying and tracking risks within their own organization. Not all risks will apply to an organization and typically, organizations limit the number of risks tracked and managed within a department or enterprise to 25-35 total risks.

Cybersecurity Risk Catalog - The  The Risk Catalog is a catalog of 32 unique risks, organized into 6 risk categories, based on the nature of the risk: Access Control (AC), Asset Management (AM), Business Continuity (BC), Exposure (EX), Governance (GV) and Situational Awareness (SA). Each risk has its own unique risk control # and description of the risk.

The intent of this risk catalog is to help standardize an understanding of legitimate cybersecurity and privacy risks across the organization to reduce Fear, Uncertainty and Doubt (FUD) that is all too common in risk discussions. The risk catalog will be applied so that each of the Secure Controls Framework (SCF) controls will be tagged with associated risks for either (1) a control deficiency or (2) understanding understanding risks associated with a request to have an exception to a requirement.

The risk catalog is not authoritative. However, it is a starting point to have a rational discussion about the possible risks associated with a request to have an exception to a requirement. The risk catalog is not authoritative. However, it is a starting point to have a rational discussion about the possible risks associated with a control either not being done at all or only partially. The idea is to look at risks with an “eyes wide open” approach to understand the potential ramifications in managing cybersecurity and privacy controls.
Image Removed
To adopt a risk register from one of the options, complete the following steps:

1. On the Risk Settings page, click the Content tab.
2. In the Risk Registers section, select one of the registers.
3. Click Add.

control either not being done at all or only partially. The idea is to look at risks with an “eyes wide open” approach to understand the potential ramifications in managing cybersecurity and privacy controls.

Adding a Register

To adopt a risk register from one of the options, complete the following steps:

1. On the Risk Settings page, click the Content tab.

2. In the Risk Registers section, you can select a register, a register group, or a single risk object.

   • The registers and register groups can be expanded with the caret icon next to the title.

   • Selecting the checkbox next to a register or a register group, all of the appropriate objects will be selected.
     
     Image Added
     

3. Click Add.

Anchor
customizing customizing

Customizing Factors, Vectors and Scores

If you've utilized existing methods and registers as explained in the above

sections, you can

Setting Up Factors

Image Removed

then alter the factors, vectors, and scores, or create new ones. Customization options include the following:

• Unlimited risk factors with weights and options.

• Unlimited risk vectors (for risk programs involving more than two vectors, like impact, likelihood, and velocity).

• Unlimited risk scores (to capture multiple risk states in management workflow i.e. inherent versus residual risk).

Creating Factors

To create a new factor, complete the following steps:

1. On the Risk Settings page, click the Factors tab.
   
   

   Image Added

   
   
   

2. Click +Add Factor, and give it a title.

3. Click +Add Option and create options

   with values determined by your organization.
   Image Removed

   such as "Low" or "Very low."

4. Next to each option, click in the Values text

   boxes

   box and use the up or down arrows to

   provide numbered weights.

   provide numbered weights. The higher the number, the higher the risk.
   
   

   Image Added

   
   
   

5. Add a number in the Weight text box. This number is then multiplied by each of the option values. If those values don't need to be changed, enter the numeral "1" in the Weight box.

6. Click Save.

7. Alternatively, click Cancel to close the dialog box without creating a factor.

The factors can now be used as part of an arithmetic equation in the Vectors and the Scores tabs.

Setting Up Vectors

Image Removedto set up vectors and scores.

Creating Vectors

To create a new vector, complete the following steps:

1. On the Risk Settings page, click the Vectors tab.
   
   

   Image Added

   
   
   

2. Click +Add Vector, and give it a title.

3. Under Calculation, select from the list of factors

   and

   , vectors, and scores. These are specific to your instance. Then utilize the grid on the right to

   do the following

   create a customized item. The options are as follows:

   1. Addition.

   2. Subtraction.

   3. Multiplication.

   4. Division.

   5. Average.

   6. Minimum.

   7. Maximum.
      

      Image Removed

      
      

      Image Added

      
      
      

4. Set ranges by adding a title in the Ranges text box and selecting a number in the UP TO (≤) numeral box numeral box. This is the highest value for that range.

5. Click +Add Range to create a new range. Each range determines the number of boxes displayed on the Risk Heatmap module.

6. Once all ranges are created, click Save.

7. Alternatively, click Cancel to close the dialog box without creating a vector.

These vectors populate selections in the X-Axis and Y-Axis dropdowns drop downs on the Risk Heatmap page as shown below. Both dropdowns drop downs display the same options. But if a selection is made in one dropdowndrop down, it is no longer available in the other.

Image Removed

Image Added

Setting Up

Creating Scores

To create a new score, complete the following steps:

1. On the Risk Settings page, click the Scores tab.

2. Click +Add Scores and give it a title.

3. Under Calculation, select from the list of factors

   and

   , vectors, and scores. These are specific to your instance. Then utilize the grid on the right to

   do the following

   create a customized item. The options are as follows:

   1. Addition.

   2. Subtraction.

   3. Multiplication.

   4. Division.

   5. Average.

   6. Minimum.

   7. Maximum.

4. Set ranges by adding a title in the Ranges text box. For example, "Low" or "Very low."

5. Click in the circle beside the Ranges text box.

    Select a color to represent the range on the heatmap.
   

   Image Removed

   
   Image Added

1. Select a number in the UP TO (≤) numeral box. This number is a weight that is multiplied by the option value. If the option value doesn't need to be changed, then enter the numeral 1 in this box.

2. Click Save.

3. Click +Add Range to create a new range.

4. Once all ranges are created, click Save.

5. Alternatively, click Cancel to close the dialog box without creating a score.

These scores populate selections in the Select Risk Score dropdown drop down on the Risk Heatmap page as shown below.
Image Removedpage as shown below.

Image Added

Default Range Colors in Scores

ZenGRC provides default colors for the ranges. They are as follows:

• Very Low (dark green): #3BBF74

• Low (light green): #89D9AC

• Moderate (light yellow/orange): #FFCD79

• High (orange): #FFAC1F

• Very High (red): #EF4853

Editing an Existing Factor, Vector or Score

Once a factor, vector or score is created, the individual details are divided out into columns and available for editing.

To edit, complete the following:

1. On the Risks Settings page, select the appropriate tab.

2. Hover over over the option you want

   to edit.Click the blue pencil.
   Image Removed
   
3. Make edits.
4. Click Save

   to edit.

5. Click the blue pencil.
   
   

   Image Added

6. Make edits.

7. Click Save.

Deleting an Existing Factor, Vector or Score

All components can be deleted. However, there's a hierarchy to follow so that formulas don't become invalid if one of its components is deleted. The order of deletion is as follows:

• Scores.

• Vectors.

• Factors.

To delete an item, complete the following:

1. Click the ellipses in

   the

   the Actions

   column

    column.

2. Click

   Click Delete.

3. In the resulting dialog box,

   select

   select Factor will be deleted.

4. Click

   Click Delete.

How

the

Heatmap Displays Risks

The number of vector ranges determines the number of the boxes on that axis. 

For example, if the following vectors are created and selected on the Risk Heatmap axes:

• Likelihood vector with ranges:

  • 0 <= 2 very low

  • 2 <= 4 low

  • 4 <= 6 moderate

  • 6 <= 8 high

  • 8 <= 10 extremely high

• Impact vector ranges.

  • 0 <= 10 low

  • 10 <= 40 medium

  • 40 <= 50 high

The heatmap will have 15 boxes, three for Impact and five for Likelihood.

Then, the Inherent Risk (Impact x Likelihood) ranges are as follows:

• 0 <= 100 insignificant

• 100 <= 400 concerning

• 400 <= 500 dangerous

Heatmap colors are determined by the highest risk values within the box. For example, if you have risks with the following values:

• L = 1, I = 5 => insignificant

• L = 1, I = 8 => insignificant

• L = 6, I = 20 => concerning

• L = 8, I = 25 => concerning

• L = 10, I = 45 => dangerous 

The heatmap is displayed as follows:

If there are three or more vectors, the same rules apply, even though we are showing two vectors at the same time. The highest risk score value in the box determines its color.

For example, if the following is set up:

• Likelihood (1-5)

• Impact (1-5)

• Velocity (1-5)

• Safeguard risk = Likelihood x Impact x Velocity

The risk threshold is defined as:

• 1 <= 25 weak

• 25 <= 100 reasonable

• 100 <= 125 insane

There would be five risks:

• I = 1, L = 5, V = 5 ==> 25 (reasonable)

• I = 1, L = 5, V = 1 ==> 5 (weak)

• I = 3, L = 3, V = 3 ==> 27 (reasonable)

• I = 1, L = 1, V = 5 ==> 5 (weak)

• I = 5, L = 1, V = 1 => (weak)

If the heatmap is filtered by Impact and Likelihood, the following displays:

There are two risks in the <1,5> box, and they are colored yellow because of the highest risk in the box.