ControlMap comes with a fully featured Risk Register and Dashboard that includes everything you need to effectively manage risks, vulnerabilities and threats for most cybersecurity compliance frameworks.
Pre-built risks sets include Common Risks / Cloud Risks / App Dev risks and more. More info on adding risk sets can be found here: Importing Risk Sets
Risk settings can be used to help customize the risk scores and risk factors: Risk Settings
Risk Register Dashboard:
The Risk Dashboard provides an overview of your risks and risk scoring shown below:
- The Risk Dashboard is interactive and can be clicked to drill down into risks by category or status.
- Click on "All Risks" or "Assessed" for instance to bring up those specific risks in a list
Risk Register List:
A list of risks will be displayed within the Risk Register List view or when you click on the Risk Dashboard to narrow in on a set of risks as shown below.
- You can click on the Action button to add risks, upload a list of your own risks from CSV, Import a Risk set and take a Snap Shot.
- Snap Shot's are designed to help save your Risk Register as a point in time so you can demonstrate improvement and your risk management process over time.
Risk Scoring:
Risk scoring is a critical part of the risk management process. ControlMap includes scores for:
- Inherent Risk: The risk score without security controls in place
- Current Risk: Your risk score with current security controls in place
- Target Risk: Goal you would like to target with additional security controls implemented
Risks also include:
- Impact/Loss Analysis: Score the impact of the risk to the business
- Treatment: Assign controls to mitigate the risk
- Assets: Assign asset types or specific assets impacted by the risk
- Threats and Vulnerabilities: Assign threats and vulnerabilities that relate to the risk. More info below.
- Vendors: Vendors impacted by the risk
Adding a Threat to Risk does not automatically mean that all Vulnerabilities exploited by the Threat are associated with the Risk. The following graphic breaks down the overall process for associating Risks, Threats, Vulnerabilities and Assets in ControlMap:
Detailing The Process
Let's consider THT-1: Phishing as an example.
An actor using THT-1:Phishing can exploit the following vulnerabilities:
1. VUL-1: Lack of awareness training
2. VUL-2: Weak authentication or lack of 2FA
3. VUL-3: Lack of firewall
For effective risk management and assessment, you must create a separate Risk for each combination of Threat and Vulnerability.
Why? Because each combination of threat and vulnerability has a different impact, mitigation, and treatment option. Additionally, various departments or employees in your organization may be responsible for mitigating these risks. Mitigating a firewall issue is very different from mitigating an awareness training issue.
For example, you create a risk called:
RSK-1: Risk of untrained employees falling prey to social engineering.
Then the following combination of threat + vulnerability applies:
Threat -> THT-1: Phishing
Vulnerability -> VUL-1: Lack of training
In the case above, if you expect all vulnerabilities linked to THT-1 to show for RSK-1 automatically, it will be misleading. For example, VUL-3: Lack of the firewall will not be the right vulnerability for RSK-1.