Page Comparison

Overview

These instructions provide information to do any or all of the following:

• Get started immediately with default, ready-made settings.

• Incorporate a collection of industry-approved methods and registers for a more robust risk management program.

• Customize risk settings to create your own program within ZenGRC.

• Employ a mix of default and customized elements to suit your organization's needs.

Accessing the Risk Settings Page

To access the area that allows customization of the risk heatmap, complete the following steps:

1. Click Settings | Risk Settings.
   
   
   
   

2. The Risk Settings home page displays.
   
   Image Modified
   

What Are Factors, Vectors and Scores?

ZenGRC provides components called factors and vectors to calculate risk scores.

• Factors - Term used in calculating vectors (i.e. Impact * Likelihood = Inherent Risk, where Impact and Likelihood are the factors contributing to the overall Inherent Risk score, which is a vector).

• Vectors - Term used to measure risk types within an organization (i.e. Inherent Risk).

• Scales - The combination of factors and vectors to rank risks.

Risk vectors are a function of factors as follows:

Risk Vectors = Fx(Factors)  

The Impact vector could be as simple as single score on a scale of 1-5, or it might be a combination of various scales already defined. For example, Impact may equal the sum of financial impact, operational impact, and privacy impact together.

A simple way to remember risk score is that it is a function of vectors as follows: 

Risk Score = Fx(Vectors)

To calculate inherent risk, an option would be to multiply Impact with Likelihood:

Inherent Risk = Impact * Likelihood

Then find the Residual Risk by using the product of Impact and Likelihood to made up your Inherent Risk, and then factor in the Control Strength as the divisor. The residual risk is the remainder as shown below:

Residual Risk = Impact * Likelihood/Control Strength

ZenGRC Default Settings

To get you started, your instance already contains simple, preset factors and vectors to use in their entirety or to configure as needed. This section provides basic definitions. You will learn how to create or alter them in the next documentation sections. 

Factors

The default factors in ZenGRC are labeled as Impact, Likelihood, Residual Impact, and Residual Likelihood, with options of Very Low (1), Low (2), Moderate (3), High (4), Very High (5), which provides a simple method for scoring and calculating risk. However, you can make them as complex your organization needs.

Vectors

ZenGRC default options for vectors include Impact, Likelihood, Residual Impact, and Residual Likelihood. As with the factors, vectors have predetermined threshold ranges from very low to very high, and can be customized as needed.

Scores

Additionally, there are default scores that include Inherent Risk and Residual Risk. The calculations and ranges are easily viewed for each score and can be customized.

Incorporating a Calculation Method

Making a selection under Calculation Methods automatically creates factors, vectors and scores needed to calculate risks.

The methods to chose from include the following:

• Basic Risk - A risk calculation method composed of two risk scores - Inherent and Residual. The former is used to calculate the initial risk score, and the latter is used to calculate the risk score after remediation processes.

• RISQ Simplified - This Enterprise Risk Management (ERM) assessment process has been developed by RISQ Management LLC to allow for scalable implementation of a Risk Management System.  The system is designed to start in a single department or organization, and then scale to cover the complete enterprise. The system uses three vectors (Impact, Likelihood, Avoidance) and six factors (Financial Impact, Velocity, Possibility, Importance, Control Strength, Responsiveness) to calculate inherent and residual risk. 

• CIS-RAM Simplified - This assessment method is based on the CIS-RAM model, published by the Center for Internet Security.  This system uses impact and likelihood to calculate residual (current) risk level. This model takes into account mission impact and obligation impact to determine the maximum risk score.

Previewing a Method

To preview the calculations in a method, complete the following steps:

1. On the Risk Settings page, click the Content tab.

2. In the Calculation Methods section, click the linked title of each method.
   
   

   Image Modified

   
   
   

3. The calculations for the method are displayed.
   
   

   Image Modified

   
   
   

4. Click the X in the top, right to close.

Adding a Method

To adopt a calculation method from one of the options, complete the following steps:

1. On the Risk Settings page, click the Content tab.

2. In the Calculation Methods section, select the radio button for one of the methods.
   
   

   Image Modified

   
   
   

3. Click Add.

Incorporating a Risk Register

These risk registers create a full list of risks for your organization to track. The categories available include the following:

RISQ Management Enterprise Risk Register - An enterprise/departmental risk register compiled by RISQ Management LLC from a comprehensive set of risk studies and standards including the North Carolina State Enterprise Risk Management study, the Verizon Data Breach Investigations report, NIST 800-53 and PWS Third-Party Risk Management report.

This register should be used as a basis to start identifying and tracking risks within their own organization. Not all risks will apply to an organization and typically, organizations limit the number of risks tracked and managed within a department or enterprise to 25-35 total risks.

Cybersecurity Risk Catalog - The  The Risk Catalog is a catalog of 32 unique risks, organized into 6 risk categories, based on the nature of the risk: Access Control (AC), Asset Management (AM), Business Continuity (BC), Exposure (EX), Governance (GV) and Situational Awareness (SA). Each risk has its own unique risk control # and description of the risk.

The intent of this risk catalog is to help standardize an understanding of legitimate cybersecurity and privacy risks across the organization to reduce Fear, Uncertainty and Doubt (FUD) that is all too common in risk discussions. The risk catalog will be applied so that each of the Secure Controls Framework (SCF) controls will be tagged with associated risks for either (1) a control deficiency or (2) understanding risks associated with a request to have an exception to a requirement.

The risk catalog is not authoritative. However, it is a starting point to have a rational discussion about the possible risks associated with a control either not being done at all or only partially. The idea is to look at risks with an “eyes wide open” approach to understand the potential ramifications in managing cybersecurity and privacy controls.

Adding a Register

To adopt a risk register from one of the options, complete the following steps:

1. On the Risk Settings page, click the Content tab.

   
   Image Removed

2. In the Risk Registers section

   , select one of the registers.
3. Click Add.

1. , you can select a register, a register group, or a single risk object.

   • The registers and register groups can be expanded with the caret icon next to the title.

   • Selecting the checkbox next to a register or a register group, all of the appropriate objects will be selected.
     
     Image Added
     

2. Click Add.

Anchor
customizing customizing

Customizing Factors, Vectors and Scores

If you've utilized existing methods and registers as explained in the above sections, you can then alter the factors, vectors, and scores, or create new ones. Customization options include the following:

• Unlimited risk factors with weights and options.

• Unlimited risk vectors (for risk programs involving more than two vectors, like impact, likelihood, and velocity).

• Unlimited risk scores (to capture multiple risk states in management workflow i.e. inherent versus residual risk).

Creating Factors

To create a new factor, complete the following steps:

1. On the Risk Settings page, click the Factors tab.
   
   

   Image Modified

   
   
   

2. Click +Add Factor, and give it a title.

3. Click +Add Option and create options such as "Low" or "Very low."

4. Next to each option, click in the Values text box and use the up or down arrows to provide numbered weights. The higher the number, the higher the risk.
   
   

   Image Modified

   
   
   

5. Add a number in the Weight text box. This number is then multiplied by each of the option values. If those values don't need to be changed, enter the numeral "1" in the Weight box.

6. Click Save.

7. Alternatively, click Cancel to close the dialog box without creating a factor.

The factors can now be used as part of an arithmetic equation to set up vectors and scores.

Creating Vectors

To create a new vector, complete the following steps:

1. On the Risk Settings page, click the Vectors tab.
   
   

   Image Modified

   
   
   

2. Click +Add Vector, and give it a title.

3. Under Calculation, select from the list of factors, vectors, and scores. These are specific to your instance. Then utilize the grid on the right to create a customized item. The options are as follows:

   1. Addition.

   2. Subtraction.

   3. Multiplication.

   4. Division.

   5. Average.

   6. Minimum.

   7. Maximum.
      
      

      Image Modified

      
      
      

4. Set ranges by adding a title in the Ranges text box and selecting a number in the UP TO (≤) numeral box. This is the highest value for that range.

5. Click +Add Range to create a new range. Each range determines the number of boxes displayed on the Risk Heatmap module.

6. Once all ranges are created, click Save.

7. Alternatively, click Cancel to close the dialog box without creating a vector.

These vectors populate selections in the X-Axis and Y-Axis drop downs on the Risk Heatmap page as shown below. Both drop downs display the same options. But if a selection is made in one drop down, it is no longer available in the other.

Image Modified

Creating Scores

To create a new score, complete the following steps:

1. On the Risk Settings page, click the Scores tab.

2. Click +Add Scores and give it a title.

3. Under Calculation, select from the list of factors, vectors, and scores. These are specific to your instance. Then utilize the grid on the right to create a customized item. The options are as follows:

   1. Addition.

   2. Subtraction.

   3. Multiplication.

   4. Division.

   5. Average.

   6. Minimum.

   7. Maximum.

4. Set ranges by adding a title in the Ranges text box. For example, "Low" or "Very low."

5. Click in the circle beside the Ranges text box. Select a color to represent the range on the heatmap.
   
   Image Modified

1. Select a number in the UP TO (≤) numeral box. This number is a weight that is multiplied by the option value. If the option value doesn't need to be changed, then enter the numeral 1 in this box.

2. Click Save.

3. Click +Add Range to create a new range.

4. Once all ranges are created, click Save.

5. Alternatively, click Cancel to close the dialog box without creating a score.

These scores populate selections in the Select Risk Score drop down on the Risk Heatmap page as shown below.

Default Range Colors in Scores

ZenGRC provides default colors for the ranges. They are as follows:

• Very Low (dark green):

   #3BBF74

   #3BBF74

• Low (light green):

   #89D9AC

   #89D9AC

• Moderate (light yellow/orange):

   #FFCD79

   #FFCD79

• High (orange):

   #FFAC1F

   #FFAC1F

• Very High (red):

   #EF4853

   #EF4853

Editing an Existing Factor, Vector or Score

Once a factor, vector or score is created, the individual details are divided out into columns and available for editing.

To edit, complete the following:

1. On the Risks Settings page, select the appropriate tab.

2. Hover over over the option you want to edit.

3. Click the blue pencil.
   
   

   Image Modified

4. Make edits.

5. Click Save.

Deleting an Existing Factor, Vector or Score

All components can be deleted. However, there's a hierarchy to follow so that formulas don't become invalid if one of its components is deleted. The order of deletion is as follows:

• Scores.

• Vectors.

• Factors.

To delete an item, complete the following:

1. Click the ellipses in

   the 

   the Actions

    column

    column.

2. Click 

   Click Delete.

3. In the resulting dialog box,

   select 

   select Factor will be deleted.

4. Click Delete.

How the Heatmap Displays Risks

The number of vector ranges determines the number of the boxes on that axis. 

For example, if the following vectors are created and selected on the Risk Heatmap axes:

• Likelihood vector with ranges:

  • 0 <= 2 very low

  • 2 <= 4 low

  • 4 <= 6 moderate

  • 6 <= 8 high

  • 8 <= 10 extremely high

• Impact vector ranges.

  • 0 <= 10 low

  • 10 <= 40 medium

  • 40 <= 50 high

The heatmap will have 15 boxes, three for Impact and five for Likelihood.

Then, the Inherent Risk (Impact x Likelihood) ranges are as follows:

• 0 <= 100 insignificant

• 100 <= 400 concerning

• 400 <= 500 dangerous

Heatmap colors are determined by the highest risk values within the box. For example, if you have risks with the following values:

• L = 1, I = 5 => insignificant

• L = 1, I = 8 => insignificant

• L = 6, I = 20 => concerning

• L = 8, I = 25 => concerning

• L = 10, I = 45 => dangerous 

The heatmap is displayed as follows:

If there are three or more vectors, the same rules apply, even though we are showing two vectors at the same time. The highest risk score value in the box determines its color.

For example, if the following is set up:

• Likelihood (1-5)

• Impact (1-5)

• Velocity (1-5)

• Safeguard risk = Likelihood x Impact x Velocity

The risk threshold is defined as:

• 1 <= 25 weak

• 25 <= 100 reasonable

• 100 <= 125 insane

There would be five risks:

• I = 1, L = 5, V = 5 ==> 25 (reasonable)

• I = 1, L = 5, V = 1 ==> 5 (weak)

• I = 3, L = 3, V = 3 ==> 27 (reasonable)

• I = 1, L = 1, V = 5 ==> 5 (weak)

• I = 5, L = 1, V = 1 => (weak)

If the heatmap is filtered by Impact and Likelihood, the following displays:

There are two risks in the <1,5> box, and they are colored yellow because of the highest risk in the box.