IT Risk Management Use Case Design

The Risk Project application functions as a repository where you can perform directed bottom up risk assessments across multiple domains, such as a new product and service, a new venture or business process, or mergers and acquisitions.

Through the Risk Project application, you can:

• Manage the process of performing risk assessments from scoping through to treatment.
• Use multiple scoping options to filter a multi-domain risk assessment.
• Integrate COSO ERM and ISO 31000 frameworks with NIST 800-30 and ISO 27005 elements.
• Support singular input (one participant) or multiple inputs (multiple participants) for risk identification.
• Manage risk-related projects through a lifecycle of:
  • Project staffing and scoping.
  • Risk assessment, aggregated scoring, and multiple assessment support.
  • Risk analysis and evaluation.
  • Risk treatment, including remediation plans and exception requests.

The Threat Intelligence application collects threat advisory reports or security updates from a variety of sources. The intelligence could be provided via a pre-built feed from Verisign iDefense. Intelligence can also be input manually by the security function to document transactional threats (such as ongoing social engineering or phishing attacks) or inherent business threats based on threat assessments, analysis or other internal processes. Consolidating and tying this data back to your enterprise assets and business processes enables a comprehensive view of the threat's severity, impact and any required remediation needs.

Through the Threat Intelligence application, you can:

• Automatically import data from an intelligence feed.
• Research potential threats and produce real-time reports that aid in the creation of action plans.
• Auto-notify appropriate personnel based upon established severity criteria.
• Document ongoing threats within the organization.
• Initiate a threat project based on threat intelligence.

The Threat Project application enables the security function to manage the operational activities of the threat program through project management and an integrated threat assessment methodology. The Threat Project application provides security analysts with a consistent methodology to identify threats, analyze associated risks, and manage risk treatment efforts in 1 consolidated system. Through the Threat Project application, you can: Manage the process of performing threat assessments from scoping through to treatment. Support singular input (1 participant) or multiple inputs (multiple participants) for threat identification. Manage threat-related projects through a lifecycle of:Project staffing and scoping.Threat assessment, aggregated scoring, and multiple assessment support.Threat analysis and evaluation.Risk treatment, including remediation plans and exception requests.

The Threat Assessment questionnaire serves as a consistent method to identify potential threat actors, vulnerabilities, and/or threat scenarios as part of a Threat Project. The input into the questionnaire is typically provided by business representatives, technology owners, and business process constituents. The questionnaire is not intended to be a complete threat assessment but rather an inquiry into the common threat scenarios that can affect specific assets. Through the discussion facilitated by the Threat Assessment, the security analyst can query the business owners about the possible scenarios that could result in a business impact and identify countermeasures as necessary.

This Risk Assessment is a general risk assessment containing multiple domains of questions. The risk assessment includes a domain scoring model as well as an overall risk heat map. The Risk Questions within the domains are split into 2 sections - a likelihood and an impact section. Risk Indicator questions are used to calculate the likelihood portion of the domain. and are Yes/No questions. For each wrong answer, the likelihood of risks within that domain increase. Risk Scale questions are used to calculate the impact portion of the domain. These questions are scored on a 1 - 10 scale to calculate a business impact score. The higher the average of the scaled answers, the higher the impact score. Calculations within the individual domains are based on the individual questions. Adding or removing questions to each domain will require an adjustment to the scoring system within the questionnaire.

The Application Assessment questionnaire contains 64 questions focused on overall controls for applications, including general controls, application development, access control, monitoring and response, recovery and business continuity, regulatory compliance, and operations management.

The Device Assessment questionnaire contains 67 questions that cover general device (IT platform) controls. Some of the topics covered include inventory classification, user accounts, passwords, system configuration, and operations management. The questionnaire is technology-agnostic and based on general controls. Technology-specific controls, such as Windows configuration items, are not included in this questionnaire.

The Information Asset Assessment questionnaire contains 44 questions that target Information Assets and provide an assessment against legal, regulatory, and security requirements for information assets. This questionnaire also covers general information protection and security, information ownership, classification, personal information, retention, breaches, and business continuity.

The Question Library application stores assessment questions that you can reference and copy into a questionnaire. Each question is stored as an individual record, and each record contains information including the question and answer text as well as information necessary to display and score the question. Depending on the solution that you have licensed, the Question Library contains a large set of pre-built questions by default. In addition, you can add new questions and store them in the Question Library.

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

The Risks application serves as the corporate controlled instantiation of risks used by the entire organization. It allows users to capture data for an instance of a risk from any given risk statement. Risks are associated to processes, objectives, applications, facilities, key risk indicators, financial losses, and controls. Quantitative risks serve as an aggregation point for underlying Risk Events and are separately assigned to quantitative hierarchies for aggregation.

The Risk Statements application functions as a repository where you can store general information on enterprise risks and provide information for completing Risks records.

The Risk Generator application allows Risk Managers to automatically generate Risks records, based on selected Risk Statements and targets. For example, if you selected 2 Risk Statements and targeted 3 Product and Services records, the system would generate 6 Risks records.

If you have licensed a use case that contains Metrics and Metrics Library, the feed also generates metrics for each generated risk, based on the Metrics Library records tied to the selected Risk Statements.

The Contacts application serves as a central repository for contact information, is utilized across multiple areas of Archer, and contains information that is often leveraged by other use cases. Updates to a profile record within this application automatically propagate in any records with displayed contact information.

Note: The Contacts application is included in the Enterprise Catalog package.

The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure.

Note: The Business Processes application is included in the Enterprise Catalog package.

The Control Procedures application serves as a central repository for instances of control procedures, baselines and activities that are mapped to corporate Primary Controls, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Control Procedures are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Control Procedures application is included in the Enterprise Catalog package.

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

The Storage Devices application serves as a central repository for storage devices used within the infrastructure.

Note: The Storage Devices application is included in the Enterprise Catalog package.

Provides use case administrator with access to the following applications:

• Business Processes

• Contacts

• Facilities

• Information Assets

• Applications

• Devices

• Storage Devices

• Technologies

• Control Procedures

• Question Library

This role includes create, read, update, and delete access.

Provides appropriate access level to all the applications listed in CM: Admin for the executive team. This role includes read-only access.

Provides appropriate access level to all the applications listed in CM: Admin for management stakeholders. This role includes create, read, and update access.

Provides appropriate access level to all the applications listed in CM: Admin to business process owners. This role includes create, read, and update access.

Provides use case administrator with access to the following applications:

• Risk Assessment

• Risk Project

• Risks

This role includes create, read, update, and delete access.

Provides appropriate access level to all the applications listed in RM: Admin for the executive team. This role includes read-only access.

Provides appropriate access level to all the applications listed in RM: Admin for management stakeholders. This role includes create, read, and update access.

Provides appropriate access level to all the applications listed in RM: Admin to business process owners. This role includes create, read, and update access.

Provides read-only access to all the applications listed in RM: Admin.

Provides the use case administrator with create, read, update, and delete access rights to the following applications:

• Question Library

• Threat Intelligence

• Threat Project

• Threat Assessment

Provides analysts with the appropriate access level to applications listed in the ITSVP: Admin role. This role includes create, read, update, and delete access.

Provides read-only access to applications listed in the ITSVP: Admin role to the appropriate line of business.

Provides read-only access to applications listed in the ITSVP: Admin role to the executive team.

Provides appropriate access level to all the applications listed in the ITSVP: Admin role to operators.

Targets the Risk Generator application and allows users to create Risks records based on their selections for Risk Statements and impacted targets (for example, business units or facilities).

For example, if you selected 2 Risk Statements and targeted 3 Facilities records, the system would generate 6 Risks records.

If you have licensed a use case that contains Metrics and Metrics Library, the feed also generates metrics for each generated risk, based on the Metrics Library records tied to the selected Risk Statements.