Create a Risk Assessment

Information security risk assessment is an on-going process of discovering, correcting, and preventing security problems.

To create a Risk Assessment:

  1. On the CSM Desktop Client or Browser Client toolbar, select New > New ISMS Risk Assessment.
  2. Provide general information.
    1. Provide a name and description.
    2. Provide details (example: Evaluate laptops for potential security risks).
    3. Select the assigned team and owner.
      This choice will drive the users available in the Asset Owner drop-down list.
    4. Select a risk assessment type.
      This choice drives the set of assessment questions you will answer.
    5. Select a risk owner.
      The risk owner is the stakeholder that is responsible for any risks identified as part of the Risk Assessment.
    6. Select an asset owner.
      The asset custodian is the stakeholder that owns the related Business Service or Configuration Item (example: Desktop Management).
  3. Depending on the Risk Assessment type you choose, an associated tab or tabs will appear in the form arrangement. In the tab, associate an object with the Risk Assessment. You must make this association before you can begin the assessment.
  4. Assess the Risk.
    1. Select the Begin Assessment link in the Actions list to start the Risk Assessment activities.
      The status changes to In Progress, and a Complete Risk Assessment window appears.

      This tells you which assessment areas you will need to complete.

    2. Depending on which Risk Assessment type you choose, two tabs will appear in the form arrangement for each set of applicable risk assessment questions: Threat Analysis and Risk Mitigation. Unanswered questions appear in red; answered questions are green.
    3. If you are unable to answer all the assessment questions, you can return to the Overview form and select Update Percentage Complete. You cannot move forward to the findings activities until each assessment area is 100%.
    4. Select Calculate Risk when all areas are 100%. The left panel shows the Classification, Unmitigated Risk Score, and Mitigated Risk Score.
      See About Risk.
  5. (Optional) Select the Create Preventative Action or Create Correction Action links from the Actions list.
  6. (Optional) Complete the Findings area of the Risk Assessment. These fields are not visible until all questions are completed.
    • Accept the Risk: No additional steps are required.
    • Avoid the Risk: No additional steps are required.
    • Transfer the Risk: No additional steps are required.
    • Mitigate Risk with Controls: A Controls tab appears in the form arrangement.
  7. Select the Update Assessment icon in the middle of the Overview form. Modify answers to the analysis or mitigation questions or other information as appropriate.
    Calculate Risk and select Submit to return the record to Active status with any new values.
  8. Select the Retire a Risk Assessment link from the Actions list to retire the Risk Assessment.