Risk Management

Shannon DeLange
Shannon DeLange Idea generator Vanta Team Member Conversation starter
  • Updated

A security risk assessment identifies, assesses, and implements essential security controls in your company's applications. It aims to find areas within your organization that need additional or more robust security and reduce risk within your company. Vanta's ISO Compliant Risk Management page shows what risk exists within your organization and the tasks that must be completed to improve your security posture.  Once you have identified and included risks for your company, they can be managed from the Risk Management tab. Here, you can review all of the risks that have been identified for your business. For risks with a risk score above an acceptable threshold,  you can review and describe the risk treatment plan that will lower the likelihood and impact of the risk on your business.

 

 

Risk Management Dashboard 

With Vanta's Risk Management Dashboard, you can get up to speed on your risk management program quickly, and see important information in one single location
 
risk mgmt dashboard 1.gif

 

Getting Started

  • The Getting Started widget will walk you through each step of Risk management within Vanta by selecting Show Me how

 

Identifying Your Company's Risk Scenarios 

 

Risk Register 

You can review all the risks identified for your business from the Risk Register tab. For each risk, review and describe the risk treatment plan

 

Creating a  Risk Scenario

  • You can also create custom risk scenarios from the risk register page by selecting +  Scenario.
  • Risk scenarios can be created in 3 ways:
    • Manually
    • Via Library
    • Via Import 

Screenshot

 

Creating a Manual Risk Scenario 

  • Complete the pop-up modal with
    • Description: Describe the actual or potential risk to your company's people, facilities, technology, and data 
    • Category: The category of risk
    • Likelihood: how likely an intentional or accidental incident will occur based on this risk.
    • Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
    • Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if no existing actions apply here
  • Select Create Risk scenario

Screenshot

Marking a risk scenario as sensitive will make it visible/editable to admins only

 

Uploading a Scenario via Import

  • Choose the +Add scenario button
  • Select Via Import
  • Upload the file using the risk scenario template (attached at the bottom of this article) 
  • Select Import

Adding Scenarios from the Risk Library

  • The Risk library contains detailed risk scenarios that can be quickly added to your Risk Register
  • This can be done through the Risk Library Tab or the + Add Scenario button
  • From the Risk Library tab, prebuilt risk scenarios can be added or removed from your Risk register

Screenshot

 

Reviewing Risk Scenarios 

 

Assigning Owners 

  • Risks added to the register will need to be reviewed and approved. Owners can be assigned by clicking the Edit next to the word Unassigned
    • This person is responsible for approving and tracking the completion of any treatment actions for this risk. They will be notified of this assignment if their notifications are turned on.
    • Admins can assign themselves as the owner of a risk scenario 

Screenshot

 

Review the Risk

  • Click into the risk you would like to review, complete the required information from the side modal

risk drawer.gif

Define how you would like to mitigate the risk

    • Accept: Decide to live with the risk and take no further actions
    • Transfer: Move risk outside your organization's responsibilities, e.g., get cyber liability insurance
    • Mitigate: Identify controls to put in place or tasks to be done that will reduce the risk score.
    • Avoid: Fix the risk and underlying vulnerabilities to remove them entirely from your environment
  • Create a task that details your actions to mitigate the risk by selecting Create Task. Add a due date and assign the task to the appropriate person
  • Include any controls related to the risk scenario. Vanta can suggest controls if you toggle the Recommended only to on

 

Estimate Residual Score

  • Residual risk is the leftover risk after applying security controls and process improvements. A rough estimate is fine.

 

Assign an owner 

  • This person is responsible for approving and tracking the completion of any treatment actions for this risk

 

Archive a Risk / Restart

Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario anytime in the future, and the tasks will be restored.

  • Select the options menu(the three dots on the far right-hand side) from the risk
  • Selecting Archive will archive the risk 
  • Selecting Mark as sensitive will ensure only admins can see and edit the risk

 

Screenshot 2023-11-30 at 4.03.23 PM.png

 

Creating Custom Risk Management Categories 

  • Under assessment, select Settings 
  • Select Add to create a custom category 

  • Enter the category name
  • Select Add Category 
  • The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown

Creating a Risk Snapshot

  • Snapshot records your risk assessment at a given point in time. It allows you to track and share your risk assessment progress with auditors.
  • Only approved risk scenarios will be added to the snapshot. 
  • From the Register page, select Share, followed by Create snapshot

 

Viewing Saved Snapshots

  • Saved snapshots can be viewed from History
  • Click on a specific snapshot to Download or Delete a snapshot from the top right-hand corner 

Screenshot

 

Generate a Risk Assessment report

  • Create a risk assessment report  Vanta platform, to showcase the security posture of your company to team members outside of the Vanta platform
  • From the register page, select Share followed by Generate Risk Assessment report  

risk assess report.gif