Information security risk assessment is an on-going process of
discovering, correcting, and preventing security problems.
To create a Risk Assessment:
- On the
CSM Desktop Client
or
Browser Client
toolbar, select
.
- Provide general information.
- Provide a name and description.
- Provide details (example: Evaluate laptops for potential
security risks).
- Select the assigned team and owner.
This choice will drive the users available in the
Asset Owner drop-down list.
- Select a risk assessment type.
This choice drives the set of assessment questions you will
answer.
- Select a risk owner.
The risk owner is the stakeholder that is responsible for any
risks identified as part of the Risk Assessment.
- Select an asset owner.
The asset custodian is the stakeholder that owns the related
Business Service or Configuration Item (example: Desktop Management).
- Depending on the Risk Assessment type you choose, an associated
tab or tabs will appear in the form arrangement. In the tab, associate an
object with the Risk Assessment. You must make this association before you can
begin the assessment.
- Assess the Risk.
- Select the
Begin Assessment link in the
Actions list to start the Risk Assessment
activities.
The status changes to In Progress, and a
Complete Risk Assessment window appears.
This tells you which assessment areas you will need to
complete.
- Depending on which Risk Assessment type you choose, two tabs
will appear in the form arrangement for each set of applicable risk assessment
questions:
Threat Analysis and
Risk Mitigation. Unanswered questions
appear in red; answered questions are green.
- If you are unable to answer all the assessment questions, you
can return to the Overview form and select
Update Percentage Complete. You cannot
move forward to the findings activities until each assessment area is 100%.
- Select
Calculate Risk when all areas are 100%.
The left panel shows the Classification, Unmitigated Risk Score, and Mitigated
Risk Score.
- (Optional) Select the
Create Preventative Action or
Create Correction Action links from the
Actions list.
- (Optional) Complete the
Findings area of the Risk Assessment. These
fields are not visible until all questions are completed.
- Accept the Risk: No additional steps
are required.
- Avoid the Risk: No additional steps
are required.
- Transfer the Risk: No additional steps
are required.
- Mitigate Risk with Controls: A
Controls tab appears in the form
arrangement.
- Select the
Update Assessment icon in the middle of the
Overview form. Modify answers to the analysis or mitigation questions or other
information as appropriate.
Calculate Risk and select
Submit to return the record to Active status
with any new values.
- Select the
Retire a Risk Assessment link from the
Actions list to retire the Risk Assessment.