Create a Risk Assessment

Information security risk assessment is an on-going process of discovering, correcting, and preventing security problems.

To create a Risk Assessment:

  1. On the CSM Desktop Client or Browser Client toolbar, select New > New GRC Risk Assessment.
  2. Provide details:
    1. Provide a name and description.
    2. Select a risk assessment type.
      This choice drives the set of assessment questions you will answer.
    3. (Optional) Select a risk owner and asset owner.
      The risk owner is the stakeholder that is responsible for any risks identified as part of the Risk Assessment.

      The asset custodian is the stakeholder that owns the related Business Service or Configuration Item (example: Desktop Management).

    4. Depending on your choice for risk assessment type, the Data Protection Officer field becomes available.
    5. Select the assigned team and owner.
  3. Based on the risk assessment type you chose, an associated tab or tabs will appear in the form arrangement. In the tab, associate an object with the risk assessment. You must make this association before you can begin the assessment.
  4. Assess the Risk.
    1. Select the Next: Begin Assessment link in the Default form to start the Risk Assessment activities.
      The status changes to Assessing, and a Complete Risk Assessment window appears.

      This tells you which assessment areas you will need to complete.

    2. Select Close to close the window and select the applicable tabs to begin the assessment.
    3. Depending on which Risk Assessment type you choose, two tabs will appear in the form arrangement for each set of applicable risk assessment questions: Threat Analysis and Risk Analysis. Unanswered questions appear in red; answered questions are green.
    4. If you are unable to answer all the assessment questions, you can return to the Overview form and select the Update Percentage Complete link under Actions. You cannot move forward to the findings activities until each assessment area is 100%.
    5. Under Actions, select Calculate Risk when all areas are 100%. The Default form displays the Unmitigated Score and Mitigated Score.
  5. (Optional) Select the Create Preventative Action or Create Correction Action links from the Actions list.
  6. (Optional) Complete the Findings area of the Risk Assessment.
    1. Add details to the Findings field.
    2. Select a risk response:
    • Accept the Risk: No additional steps are required.
    • Avoid the Risk: No additional steps are required.
    • Mitigate Risk with Controls: A Controls tab appears in the form arrangement.
    • Transfer the Risk: No additional steps are required.
  7. Select the Update Assessment link under Actions. Modify answers to the analysis or mitigation questions or other information as appropriate.
    Calculate Risk and on the Overview form, select the Next: Activate Assessment link to return the record to Active status with any new values.
  8. Select the Next: Retire link on the Overview form to retire the Risk Assessment.