Part 4: Adding risks to the risk inventory
Recall that step 1 is all about developing a solid understanding of security-relevant assets while step 2 deals with determining the criticality of assets in terms of protection goals. In step 3, we have detected security deficiencies through a comparison of required and actually implemented security measures. What is the next step is the subject of this blog post.
Include security deficiencies in your risk inventory
Simply said, step 4 is all about including all security deficiencies in the risk inventory. Where do these security deficiencies or vulnerabilities come from?
On the one hand, through the target-performance comparison discussed in step 3, vulnerabilities are detected which refers to security measures that have either not been implemented at all or have been implemented inadequately. These, of course, represent risks that need to be addressed. On the other hand, in addition to these deficiencies, identified security vulnerabilities from internal or external audits or identified vulnerabilities in the context of service provider management (ISAE 3402) are also included in their entirety in the IT risk inventory.
What is a risk inventory?
All risks together form the risk inventory. A risk inventory contains, in particular, information on the individual risks, the assessment of the risks, the evaluation of the risk policy measures, proposals for improving the status quo, and a prioritization of the measures. The purpose of a risk inventory is in particular to provide decision-makers with a condensed overview of the company's risk situation. In addition to the quantitative assessment, a qualitative assessment (e.g. potential damage as a result of industrial espionage) can also be made.
Characteristics of the risk inventory
It is important to be able to categorize the list of risks in terms of a variety of risk attributes, such as the risk owner, type of risk, etc. Especially when the list of risks in the inventory grows, the risk description is an important aspect to consider in order to differentiate the risks and present them in a comprehensible way. Risk ID and risk name can be used in the visualization process when constructing a risk matrix. Digital solutions offered by SRC offer you a compact, clear summary of risks from various risk domains or areas. Risks can be filtered according to the respective risk attributes to create user-friendly dashboards or reports.