Risk Management

  • Updated

A security risk assessment identifies, assesses, and implements essential security controls in your company's applications. It aims to find areas within your organization that need additional or more robust security and reduce risk within your company. Vanta's ISO Compliant Risk Management page shows what risk exists within your organization and the tasks that must be completed to improve your security posture.  Once you have identified and included risks for your company, they can be managed from the Risk Management tab. Here, you can review all of the risks that have been identified for your business. For risks with a risk score above an acceptable threshold,  you can review and describe the risk treatment plan that will lower the likelihood and impact of the risk on your business.

 

Risk Management Overview 

The Risk Management overview allows you to view the current and residual scores for your risk scenarios
 

 

Guided Tours

  • The guided tour widget on the Risk Register tab will walk you through each step to getting started with Risk management within Vanta. Select View guided tours in the banner, then select Show Me how to take the tour

Screenshot 2024-07-12 at 4.02.26 PM.png

Screenshot 2024-07-12 at 4.02.44 PM.png

 

Identifying Your Company's Risk Scenarios 

 

Risk Register 

You can review all the risks identified for your business from the Risk Register tab. For each risk, review and describe the risk treatment plan

Creating a  Risk Scenario

  • You can also create custom risk scenarios from the risk register page by selecting +  Scenario.
  • Risk scenarios can be created in 3 ways:
    • Manually
    • Via Library
    • Via Import (.csv, .xlsx)

Screenshot 2024-07-12 at 4.05.21 PM.png

Creating a Manual Risk Scenario 

  • Complete the pop-up modal with
    • Description: Describe the actual or potential risk to your company's people, facilities, technology, and data 
    • Category: The category of risk
    • Likelihood: how likely an intentional or accidental incident will occur based on this risk.
    • Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
    • Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if no existing actions apply here
  • Select Create Risk scenario

Screenshot

Marking a risk scenario as sensitive will make it visible/editable to admins only

Uploading a Scenario via Import

  • Choose the +Add scenario button
  • Select Via Import
  • Upload the file using the risk scenario template (attached at the bottom of this article) 
  • Select Import

Adding Scenarios from the Risk Library

  • The Risk library contains detailed risk scenarios that can be quickly added to your Risk Register
  • This can be done through the Risk Library Tab or the + Add Scenario button
  • From the Risk Library tab, prebuilt risk scenarios can be added or removed from your Risk register

Screenshot 2024-07-12 at 4.07.00 PM.png

 

Reviewing Risk Scenarios 

Assigning Owners 

  • Risks added to the register will need to be reviewed and approved. Owners can be assigned by clicking the Edit next to the word Unassigned
    • This person is responsible for approving and tracking the completion of any treatment actions for this risk. They will be notified of this assignment if their notifications are turned on.
    • Admins can assign themselves as the owner of a risk scenario 

Screenshot 2024-07-29 at 3.53.18 PM.png

 

Review the Risk

  • Click into the risk you would like to review, complete the required information from the side modal

Screenshot 2024-07-29 at 4.01.19 PM.png

Define how you would like to mitigate the risk

    • Accept: Decide to live with the risk and take no further actions
    • Transfer: Move risk outside your organization's responsibilities, e.g., get cyber liability insurance
    • Mitigate: Identify controls to put in place or tasks to be done that will reduce the risk score.
    • Avoid: Fix the risk and underlying vulnerabilities to remove them entirely from your environment
  • Create a task that details your actions to mitigate the risk by selecting Create Task. Add a due date and assign the task to the appropriate person
  • Include any controls related to the risk scenario. Vanta can suggest controls if you toggle the Recommended only to on

 

Estimate Residual Score

  • Residual risk is the leftover risk after applying security controls and process improvements. A rough estimate is fine.

Screenshot 2024-07-29 at 4.09.26 PM.png

Archive a Risk / Restart

Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario anytime in the future, and the tasks will be restored.

  • Select the options menu(the three dots on the far right-hand side) from the risk
  • Selecting Archive will archive the risk 
  • Selecting Mark as sensitive will ensure only admins can see and edit the risk

 

Screenshot 2024-07-29 at 4.11.21 PM.png

 

Creating Custom Risk Management Categories 

  • Under Settings, Scroll to Custom Categories
  • Select Add to create a custom category 

Screenshot 2024-07-29 at 4.13.45 PM.png

  • Enter the category name and Select Add Category 
  • The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown

Creating a Risk Snapshot

Snapshot records your risk assessment at a given point in time. It allows you to track and share your risk assessment progress with auditors.

  • From the Risk Register page, select Share followed by Create snapshot

Screenshot 2024-07-29 at 4.15.58 PM.png

 

  • You can choose to include All Risks or Approved Only risk scenarios, and if this snapshot can be viewed by Auditors.
  • Share Settings can be updated at anytime by viewing the Snapshot 

 

Viewing Saved Snapshots

  • Saved snapshots can be viewed from the Snapshots page
  • Click on a specific snapshot to Download or Delete a snapshot from the top right-hand corner 

Screenshot 2024-07-29 at 4.18.25 PM.png

 

Generate a Risk Assessment report

\Create a risk assessment report Vanta platform, to showcase the security posture of your company to team members outside of the Vanta platform

  • From the Risk Register page, select Share followed by Generate Risk Assessment report  

Screenshot 2024-07-29 at 4.19.39 PM.png

 

  • Select Export to save as a PDF

Screenshot 2024-07-29 at 4.21.52 PM.png