Risk Assessment

In this article, you will learn how to assess your company's risks using Scytale

What is a Risk Assessment?

A Risk Assessment is a process of evaluating the potential risks that may be involved in an activity, Information System, or platform.

Risk assessments should be actively taking place in the organization. This includes identifying risks, mitigating relevant risks, and implementing controls to minimize or eliminate those risks. The service organization should have a clear and formal process in place with regard to the risk assessment process. Key documentation will include the risk register/matrix.

Every organization should be performing some type of Risk Assessment. Risk Assessments can vary in nature and degree. However, they should lay out risks from both a business and technical perspective.

How you should start?

Click on the "Risks" tab to the left of the screen and complete the three questionnaires according to the following owners:
  1. Security: The owner of security processes in the company will fill in the questionnaire, which includes but is not limited to: endpoint management, security training, vulnerability scanning etc. It will take approximately 10 minutes.
  2. Access & Ops: The owner of access control and the production environment will fill in the questionnaire. It will take approximately  10 minutes.
  3. HR: The HR manager will fill in the questionnaire. It will take approximately 5 minutes.
 
 

Risk Mapping

After completing the questionnaire, the result table will be populated. Click on the Risks tab to the left to see the final calculation that Scytale creates for you!
 
Take a look at the mapping description:
  • Risk Level: Sorted by the highest number. Scytale calculates the level to define what the highest risks are. The red color means the highest risk in your company and goes down to the green risks. This is the inherent risk score.
  • Risk name: Summarize the topic of the risk.
  • Owner: Assign the user that will work to mitigate the risk.
  • Implementation status: The company chooses the plan which will address this risk.
  • Status: All risks should be moved to Done. However, risks that were defined as acceptable may have different statuses.
  • Delete: If the risk is not relevant to your company, please remove it from the list. The deleted risks cannot be recovered.

Risk item

Click one of the risks to find the risk description with the following details.

Risk Values

  • Last updated: This is the date when the risk was last modified.
  • Owner: You can see the risk owner or assign a different owner.
  • Risk description: provides a more detailed explanation of the risk and makes it accessible to the organization's management.
  • Risk Values: The Impact and Likelihood is automatically calculated by the platform, depending on your answers in the questionnaires. Impact x Likelihood = Risk Level. (Inherent risk level)
  • Mitigation Plan:
    • Risk Mitigation (default): Set this plan when the company decides to mitigate this risk by the mitigation description.
    • Risk Avoidance: Set this plan when the risk level is low/medium and the company decides to avoid the risk.
    • Risk Acceptance: Set this plan when the risk level is low/medium and the company decides to accept the risk.
    • Transfer to Third Party: Set this plan when the company decides to mitigate the risk through a third party.
  • Implementation Status:
    • Pending (default): The risk's first status.
    • In Progress: Change the status when you start working on the mitigation plan.
    • Done: Change the status when the mitigation plan is done.
  • Mitigation Description: Scytale describes the mitigation plan that should be taken to mitigate the risk. The actions described are relevant in case you choose the Risk Mitigation plan.
  • Values after implementation (Residual Risk Score):
    • Assess the Likelihood of the risk as it should be after the company completes implementing the mitigation plan. The Impact should not be changed.
    • In the case you choose Risk Avoidance or Risk Acceptance, the values should be the same as the Risk Values.
 

Asset Details

  • Asset: Choose the Asset that will be impacted by this risk:
    • Devices: An endpoint such as a laptop, mobile or any other device.
    • People: Company employees.
    • Policy: The document of policies and procedures.
    • Process: Describe a workflow in the organization.
    • Repository: Of Code management.
    • Vendor: External parties.
  • Classification:
    • Public: Low level of data classification
    • Internal: Medium level of data classification
    • Confidential: High level of data classification
    • Restricted: The highest level of data classification
  • Threat: Auto-fill by Scytale. Describe what is the threat of this risk.
  • Vulnerability: Auto-fill by Scytale. Describe how vulnerable your company by this risk.