A security risk assessment identifies, assesses, and implements essential security controls in your company's applications. It aims to find areas within your organization that need additional or more robust security and reduce risk within your company. Vanta's ISO Compliant Risk Management page shows what risk exists within your organization and the tasks that must be completed to improve your security posture. Once you have identified and included risks for your company, they can be managed from the Risk Management tab. Here, you can review all of the risks that have been identified for your business. For risks with a risk score above an acceptable threshold, you can review and describe the risk treatment plan that will lower the likelihood and impact of the risk on your business.
Risk Management Overview
Guided Tours
- The guided tour widget on the Risk Register tab will walk you through each step to getting started with Risk management within Vanta. Select View guided tours in the banner, then select Show Me how to take the tour
Identifying Your Company's Risk Scenarios
Risk Register
You can review all the risks identified for your business from the Risk Register tab. For each risk, review and describe the risk treatment plan
Creating a Risk Scenario
- You can also create custom risk scenarios from the risk register page by selecting + Scenario.
- Risk scenarios can be created in 3 ways:
- Manually
- Via Library
- Via Import (.csv, .xlsx)
Creating a Manual Risk Scenario
- Complete the pop-up modal with
- Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
- Category: The category of risk
- Likelihood: how likely an intentional or accidental incident will occur based on this risk.
- Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
- Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if no existing actions apply here
- Select Create Risk scenario
Marking a risk scenario as sensitive will make it visible/editable to admins only
Uploading a Scenario via Import
- Choose the +Add scenario button
- Select Via Import
- Upload the file using the risk scenario template (attached at the bottom of this article)
- Select Import
Adding Scenarios from the Risk Library
- The Risk library contains detailed risk scenarios that can be quickly added to your Risk Register
- This can be done through the Risk Library Tab or the + Add Scenario button
- From the Risk Library tab, prebuilt risk scenarios can be added or removed from your Risk register
Reviewing Risk Scenarios
Assigning Owners
- Risks added to the register will need to be reviewed and approved. Owners can be assigned by clicking the Edit next to the word Unassigned
- This person is responsible for approving and tracking the completion of any treatment actions for this risk. They will be notified of this assignment if their notifications are turned on.
- Admins can assign themselves as the owner of a risk scenario
Review the Risk
- Click into the risk you would like to review, complete the required information from the side modal
Define how you would like to mitigate the risk
-
- Accept: Decide to live with the risk and take no further actions
- Transfer: Move risk outside your organization's responsibilities, e.g., get cyber liability insurance
- Mitigate: Identify controls to put in place or tasks to be done that will reduce the risk score.
- Avoid: Fix the risk and underlying vulnerabilities to remove them entirely from your environment
- Create a task that details your actions to mitigate the risk by selecting Create Task. Add a due date and assign the task to the appropriate person
- Include any controls related to the risk scenario. Vanta can suggest controls if you toggle the Recommended only to on
Estimate Residual Score
- Residual risk is the leftover risk after applying security controls and process improvements. A rough estimate is fine.
Archive a Risk / Restart
Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario anytime in the future, and the tasks will be restored.
- Select the options menu(the three dots on the far right-hand side) from the risk
- Selecting Archive will archive the risk
- Selecting Mark as sensitive will ensure only admins can see and edit the risk
Creating Custom Risk Management Categories
- Under Settings, Scroll to Custom Categories
- Select Add to create a custom category
- Enter the category name and Select Add Category
- The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown
Creating a Risk Snapshot
Snapshot records your risk assessment at a given point in time. It allows you to track and share your risk assessment progress with auditors.
- From the Risk Register page, select Share followed by Create snapshot
- You can choose to include All Risks or Approved Only risk scenarios, and if this snapshot can be viewed by Auditors.
- Share Settings can be updated at anytime by viewing the Snapshot
Viewing Saved Snapshots
- Saved snapshots can be viewed from the Snapshots page
- Click on a specific snapshot to Download or Delete a snapshot from the top right-hand corner
Generate a Risk Assessment report
\Create a risk assessment report Vanta platform, to showcase the security posture of your company to team members outside of the Vanta platform
- From the Risk Register page, select Share followed by Generate Risk Assessment report
- Select Export to save as a PDF