A security risk assessment identifies, assesses, and implements essential security controls in your company's applications. It aims to find areas within your organization that need additional or more robust security and reduce risk within your company. Vanta's ISO Compliant Risk Management page shows what risk exists within your organization and the tasks that must be completed to improve your security posture.
Once you have identified and included risks for your company, they can be managed from the Risk Management tab. Here, you can review all of the risks that have been identified for your business. For risks with a risk score above an acceptable threshold, you can review and describe the risk treatment plan that will lower the likelihood and impact of the risk on your business.
- The Getting Started widget will walk you through each step of Risk management within Vanta by selecting Show Me how
1. Identifying Your Company's Risk Scenarios
You can review all the risks identified for your business from the Risk Register tab. For each risk, review and describe the risk treatment plan
Creating a Risk Scenario
- You can also create custom risk scenarios from the risk register page by selecting + Scenario.
- Risk scenarios can be created in 3 ways:
- Via Library
- Via Import
Creating a Manual Risk Scenario
- Complete the pop-up modal with
- Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
- Category: The category of risk
- Likelihood: how likely an intentional or accidental incident will occur based on this risk.
- Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
- Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if no existing actions apply here
- Select Create Risk scenario
Marking a risk scenario as sensitive will make it visible/editable to admins only
Uploading a Scenario via Import
- Choose the +Add scenario button
- Select Via Import
- Upload the file using the risk scenario template (attached at the bottom of this article)
- Select Import
Adding Scenarios from the Risk Library
- The Risk library contains detailed risk scenarios that can be quickly added to your Risk Register
- This can be done through the Risk Library Tab or the + Add Scenario button
- From the Risk Library tab, prebuilt risk scenarios can be added or removed from your Risk register
2. Reviewing Risk Scenarios
- Risks added to the register will need to be reviewed and approved. Owners can be assigned by clicking the Edit next to the word Unassigned
- This person is responsible for approving and tracking the completion of any treatment actions for this risk. They will be notified of this assignment if their notifications are turned on.
- Admins can assign themselves as the owner of a risk scenario
Review the Risk
- To review a risk, click directly into the risk, and select Review Risk
- Review the risk scenario, and make any needed adjustments to likelihood and impact.
- From here, you can also add additional notes, adjust the CIA category, and provide a custom ID
Define the Risk Treatment Plan
- Define how you would like to mitigate the risk
- Accept: Decide to live with the risk and take no further actions
- Transfer: Move risk outside your organization's responsibilities, e.g., get cyber liability insurance
- Mitigate: Identify controls to put in place or tasks to be done that will reduce the risk score.
- Avoid: Fix the risk and underlying vulnerabilities to remove them entirely from your environment
- Create a task that details your actions to mitigate the risk by selecting Create Task. Add a due date, and assign the task to the appropriate person
- Include any controls related to the risk scenario. Vanta can suggest if you toggle the Recommended only to on
Estimate Residual Score
- Residual risk is the left over risk after applying security controls and process improvements. A rough estimate is fine.
Assign an owner
- This person is responsible for approving and tracking the completion of any treatment actions for this risk
Archive a Risk / Restart
Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario anytime in the future, and the tasks will be restored.
- Select the options menu from the risk
- Selecting Archive will archive the risk
- Selecting Reset to draft will bring the risk back to its original state with no edits or assignments
Creating Custom Risk Management Categories
- Under assessment, select Settings
- Select Add to create a custom category
- Enter the category name
- Select Add Category
- The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown
3. Creating a Risk Snapshot
- Snapshot records your risk assessment at a given point in time. It allows you to track and share your risk assessment progress with auditors.
- Only approved risk scenarios will be added to the snapshot.
Viewing Saved Snapshots
- Saved snapshots can be viewed from History
- Click on a specific snapshot to Download or Delete a snapshot from the top right-hand corner