Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »


Page Contents


Overview

The Risk Heatmap can be customized on the Risk Settings page to reflect your organization's risk model.

To streamline configurations, ZenGRC provides pre-set models to instantly set up risk calculations. And with just a few clicks, you can create a baseline set of risks that your organization can use as an initial risk register for identification and tracking.

In addition, all risk settings and calculations are fully customizable. Options include the following:

  • Unlimited risk factors with weights and options.
  • Unlimited risk vectors (for risk programs involving more than two vectors, like impact, likelihood, and velocity).
  • Unlimited risk scores (to capture multiple risk states in management workflow i.e. inherent versus residual risk).

Accessing the Risk Settings Page

To access the area that allows customization of the risk heatmap, complete the following steps:

  1. Click Settings | Risk Settings.



  2. The Risk Settings home page displays.

Ways to Create Your Risk Program

ZenGRC provides a flexible framework that allows your organization to do the following:

  1. Utilize preset methods and registers to immediately set up your risk management program.
  2. Customize risk settings to recreate your own program within ZenGRC
  3. Employ a mix of the two to suit your organization's needs.

TIP

If you are utilizing preset calculations and risk registers, you would typically select one option under Calculation Methods and one option under Risk Registers.

Utilizing Preset Calculations and Registers

Preset options for your Essential Risk program are found on the Risk Settings page, under the Content tab.


Incorporating a Calculation Method

Making a selection under Calculation Methods automatically creates factors, vectors and scores needed to calculate risks.

The methods to chose from include the following:

  • Basic RiskA risk calculation method composed of two risk scores - Inherent and Residual. The former is used to calculate the initial risk score, and the latter is used to calculate the risk score after remediation processes.
  • RISQ Simplified - This Enterprise Risk Management (ERM) assessment process has been developed by RISQ Management LLC to allow for scalable implementation of a Risk Management System.  The system is designed to start in a single department or organization, and then scale to cover the complete enterprise. The system uses three vectors (Impact, Likelihood, Avoidance) and six factors (Financial Impact, Velocity, Possibility, Importance, Control Strength, Responsiveness) to calculate inherent and residual risk. 
  • CIS-RAM Simplified - This assessment method is based on the CIS-RAM model, published by the Center for Internet Security.  This system uses impact and likelihood to calculate residual (current) risk level. This model takes into account mission impact and obligation impact to determine the maximum risk score.



To adopt a calculation method from one of the options, complete the following steps:

  1. On the Risk Settings page, click the Content tab.
  2. In the Calculation Methods section, select one of the methods.
  3. Click Add.

Adding a Risk Register

The available risk registers include the following:

RISQ Management Enterprise Risk Register - An enterprise/departmental risk register compiled by RISQ Management LLC from a comprehensive set of risk studies and standards including the North Carolina State Enterprise Risk Management study, the Verizon Data Breach Investigations report, NIST 800-53 and PWS Third-Party Risk Management report.

This register should be used as a basis to start identifying and tracking risks within their own organization. Not all risks will apply to an organization and typically, organizations limit the number of risks tracked and managed within a department or enterprise to 25-35 total risks.

Cybersecurity Risk Catalog The Risk Catalog is a catalog of 32 unique risks, organized into 6 risk categories, based on the nature of the risk: Access Control (AC), Asset Management (AM), Business Continuity (BC), Exposure (EX), Governance (GV) and Situational Awareness (SA). Each risk has its own unique risk control # and description of the risk.

The intent of this risk catalog is to help standardize an understanding of legitimate cybersecurity and privacy risks across the organization to reduce Fear, Uncertainty and Doubt (FUD) that is all too common in risk discussions. The risk catalog will be applied so that each of the Secure Controls Framework (SCF) controls will be tagged with associated risks for either (1) a control deficiency or (2) understanding risks associated with a request to have an exception to a requirement.

The risk catalog is not authoritative. However, it is a starting point to have a rational discussion about the possible risks associated with a control either not being done at all or only partially. The idea is to look at risks with an “eyes wide open” approach to understand the potential ramifications in managing cybersecurity and privacy controls.



To adopt a risk register from one of the options, complete the following steps:

  1. On the Risk Settings page, click the Content tab.
  2. In the Risk Registers section, select one of the registers.
  3. Click Add.

Customizing Risk Settings

If you've utilized existing methods and registers as explained in the above section, you can still alter or create risk factors, vectors, and scores.

Setting Up Factors

To create a new factor, complete the following steps:

  1. On the Risk Settings page, click the Factors tab.
  2. Click +Add Factor, and give it a title.
  3. Click +Add Option and create options with values determined by your organization.



  4. Next to each option, click in the Values text boxes and use the up or down arrows to provide numbered weights.
  5. Add a number in the Weight text box. This number is then multiplied by each of the option values. If those values don't need to be changed, enter the numeral "1" in the Weight box.
  6. Click Save.
  7. Alternatively, click Cancel to close the dialog box without creating a factor.

The factors can now be used as part of an arithmetic equation in the Vectors and the Scores tabs.

Setting Up Vectors



To create a new vector, complete the following steps:

  1. On the Risk Settings page, click the Vectors tab.
  2. Click +Add Vector, and give it a title.
  3. Under Calculation, select from the list of factors and vectors, and utilize the grid on the right to do the following:
    1. Addition.
    2. Subtraction.
    3. Multiplication.
    4. Division.
    5. Average.
    6. Minimum.
    7. Maximum.



  4. Set ranges by adding a title in the Ranges text box and selecting a number in the UP TO (≤) numeral box.

  5. Click +Add Range to create a new range. Each range determines the number of boxes displayed on the Risk Heatmap module.
  6. Once all ranges are created, click Save.
  7. Alternatively, click Cancel to close the dialog box without creating a vector.

These vectors populate selections in the X-Axis and Y-Axis dropdowns on the Risk Heatmap page as shown below. Both dropdowns display the same options. But if a selection is made in one dropdown, it is no longer available in the other.

IMPORTANT

the number of ranges created for the selected vector determines the number of boxes on whichever axis it's displayed.


Setting Up Scores

To create a new score, complete the following steps:

  1. On the Risk Settings page, click the Scores tab.
  2. Click +Add Scores and give it a title.
  3. Under Calculation, select from the list of factors and vectors, and utilize the grid on the right to do the following:
    1. Addition.
    2. Subtraction.
    3. Multiplication.
    4. Division.
    5. Average.
    6. Minimum.
    7. Maximum.
  4. Set ranges by adding a title in the Ranges text box and selecting a number in the UP TO (≤) numeral box.
  5. Click in the circle beside the Ranges text box.

  6. Select a color to represent the range on the heatmap.


    IMPORTANT

    The colors added here are the colors pulled into the Risk Heatmap display.


  7. Click Save.

  8. Click +Add Range to create a new range.
  9. Once all ranges are created, click Save.
  10. Alternatively, click Cancel to close the dialog box without creating a score.

These scores populate selections in the Select Risk Score dropdown on the Risk Heatmap page as shown below.

Editing an Existing Factor, Vector or Score

Once a factor, vector or score is created, the individual details are divided out into columns and available for editing.

TIP

If an element is added, edited, or removed, it may impact a risk item's score. If this occurs, the score remains the same until the risk is opened and Calculate is clicked. This option is located on the Risk Scoring tab of each individual risk item.


To edit, complete the following:

  1. On the Risks Settings page, select the appropriate tab.
  2. Hover over over the option you want to edit.
  3. Click the blue pencil.



  4. Make edits.
  5. Click Save.

To delete an item, complete the following:

  1. Click the ellipses in the Actions column.
  2. Click Delete.
  3. In the resulting dialog box, select Factor will be deleted.
  4. Click Delete.

How Risk Settings Populate the Risk Heatmap

The number of vector ranges determines the number of the boxes on that axis.

For example, if the following vectors are created:

  • Likelihood vector with ranges:
    • 0 <= 2 very low
    • 2 <= 4 low
    • 4 <= 6 moderate
    • 6 <= 8 high
    • 8 <= 10 extremely high
  • Impact vector ranges.
    • 0 <= 10 low
    • 10 <= 40 medium
    • 40 <= 50 high

The heatmap will have 15 boxes, three for Impact and five for Likelihood.

Then, the Inherent Risk (Impact x Likelihood) ranges are as follows:

  • 0 <= 100 insignificant
  • 100 <= 400 concerning
  • 400 <= 500 dangerous

Heatmap colors are determined by the highest risk values within the box. For example, if you have risks with the following values:

  • L = 1, I = 5 => insignificant
  • L = 1, I = 8 => insignificant
  • L = 6, I = 20 => concerning
  • L = 8, I = 25 => concerning
  • L = 10, I = 45 => dangerous 

The heatmap is displayed as follows:

High



dangerous (1)
Moderate


concerning (1)
Lowinsignificant (2)
concerning(1)

Impact/LikelihoodVery lowLowModerateHighVery high


If there are three or more vectors, the same rules apply, even though we are showing two vectors at the same time. The highest risk score value in the box determines its color.

For example, if the following is set up:

  • Likelihood (1-5)
  • Impact (1-5)
  • Velocity (1-5)
  • Safeguard risk = Likelihood x Impact x Velocity

The risk threshold is defined as:

  • 1 <= 25 weak
  • 25 <= 100 reasonable
  • 100 <= 125 insane

There would be five risks:

  • I = 1, L = 5, V = 5 ==> 25 (reasonable)
  • I = 1, L = 5, V = 1 ==> 5 (weak)
  • I = 3, L = 3, V = 3 ==> 27 (reasonable)
  • I = 1, L = 1, V = 5 ==> 5 (weak)
  • I = 5, L = 1, V = 1 => (weak)

If the heatmap is filtered by Impact and Likelihood, the following displays:

Very highweak (1)



High




Medium

Reasonable (1)

Low




Very lowweak (1)


Reasonable (2)
Impact/LikelihoodVery lowLowMediumHighVery high


There are two risks in the <1,5> box, and they are colored yellow because of the highest risk in the box.

NOTE

To continue to the next section, please see Utilizing the Risk Heatmap

Other Helpful Content

•  Access and User Assistance 
•  System of Record List Views  
•  Actions on the Details Page 
•  Creating New Objects 
•  Favorites 
•  Quick Tips for End Users (Printable) 
•  Searching the Left-Hand Navigation

  • No labels

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com