Risk management involves four major areas that are risk modeling, risk assessment, risk monitoring, and risk action. Let us understand the end-to-end sequence of operations in risk manager with the help of an example.
The IT Head creates a business asset BU1 and associates it to a datacenter DC1. DC1 is associated with the IT assets A1, A2, A3, A4, and A5.
The Risk and Compliance Officer defines a security objective SO1 and associates BU1 with SO1. The Risk and Compliance Officer also associates the controls C1 and C2 with SO1 and publishes the risk objective.
The controls C1 and C2 have various controls statements mapped to them which are mapped to tests from various sources of evidence like standards manager, responses assessment, vulnerability assessment, external systems assessments and so on. The IT team runs assessments at periodic intervals in the network and collects evidence for the various tests. Each asset and test combination has a certain risk score associated with it. When the global metrics and trend computation job gets executed, it aggregates the risk scores available and generate metrics for the assets and controls mapped to the security objectives.
The predefined global metrics and trends computation job gets executed at the scheduled time or it can be manually executed from the risk management Web console. This job initiates the risk assessment.
Once the global metrics and trends computation job gets executed, the CISO can view the risk score of SO1 by using the risk dashboard. The CISO can leverage the features of the risk dashboard and panels to analyze and monitor the risk posture. Based on the findings, the CISO can make strategic decisions to take relevant action on the risk and communicate them to the IT Head.
The IT Head monitors the risk posture of SO1 by using the risk dashboards and defines an action plan.
The IT Head defines either a remediation plan or an exception plan to take action on the risks and submits the plan by using Symantec Workflow, Symantec ServiceDesk , or email.
Let us understand the advanced operations in risk manager with the help of an example.
To arrive at a more realistic risk score, while associating controls C1 and C2 with SO1, the Risk and Compliance Officer can opt to configure the controls C1 and C2. The Risk and Compliance Officer can set a weight percentage for C1 and C2 and identify compensating controls. This step is optional.
The Risk and Compliance Officer can define monitoring parameters to effectively monitor the risk score by setting threshold limits, likelihood, impact, impact area, target risk, and alerts and notifications. This step is optional.