Skip to main content

Risk Register Dashboard: Risks, Vulnerabilities and Threats

ControlMap comes with a fully featured Risk Register and Dashboard that includes everything you need to effectively manage risks, vulnerabilities and threats for most cybersecurity compliance frameworks.

Pre-built risks sets include Common Risks / Cloud Risks / App Dev risks and more. More info on adding risk sets can be found here: Importing Risk Sets

Risk settings can be used to help customize the risk scores and risk factors:  Risk Settings

 

Risk Register Dashboard:

The Risk Dashboard provides an overview of your risks and risk scoring shown below:

  • The Risk Dashboard is interactive and can be clicked to drill down into risks by category or status.
  • Click on "All Risks" or "Assessed" for instance to bring up those specific risks in a list

Risk Register List:

A list of risks will be displayed within the Risk Register List view or when you click on the Risk Dashboard to narrow in on a set of risks as shown below.

  • You can click on the Action button to add risks, upload a list of your own risks from CSV, Import a Risk set and take a Snap Shot.
  • Snap Shot's are designed to help save your Risk Register as a point in time so you can demonstrate improvement and your risk management process over time.

Risk Scoring: 

Risk scoring is a critical part of the risk management process. ControlMap includes scores for:

  • Inherent Risk: The risk score without security controls in place 
  • Current Risk: Your risk score with current security controls in place
  • Target Risk: Goal you would like to target with additional security controls implemented

Risks also include: 

  • Impact/Loss Analysis: Score the impact of the risk to the business
  • Treatment: Assign controls to mitigate the risk
  • Assets: Assign asset types or specific assets impacted by the risk
  • Threats and Vulnerabilities: Assign threats and vulnerabilities that relate to the risk. More info below.
  • Vendors: Vendors impacted by the risk

 

M-6vUzIXGRAmRHB8d6I-3TC0WwnqQpJ4cw.jpg

Adding a Threat to Risk does not automatically mean that all Vulnerabilities exploited by the Threat are associated with the Risk.  The following graphic breaks down the overall process for associating Risks, Threats, Vulnerabilities and Assets in ControlMap:

Detailing The Process

 

Let's consider THT-1: Phishing as an example.

 

An actor using THT-1:Phishing can exploit the following vulnerabilities:

  

1. VUL-1: Lack of awareness training 

2. VUL-2:  Weak authentication or lack of 2FA

3. VUL-3:  Lack of firewall 

 

For effective risk management and assessment, you must create a separate Risk for each combination of Threat and Vulnerability. 

 

 

Why? Because each combination of threat and vulnerability has a different impact, mitigation, and treatment option. Additionally, various departments or employees in your organization may be responsible for mitigating these risks.  Mitigating a firewall issue is very different from mitigating an awareness training issue.

 

For example, you create a risk called:

 

RSK-1: Risk of untrained employees falling prey to social engineering. 

 

Then the following combination of threat + vulnerability applies:

Threat -> THT-1: Phishing 

Vulnerability -> VUL-1: Lack of training 

 

In the case above, if you expect all vulnerabilities linked to THT-1 to show for RSK-1 automatically, it will be misleading.  For example, VUL-3: Lack of the firewall will not be the right vulnerability for RSK-1.