A security risk assessment identifies, assesses, and implements essential security controls in your company’s applications. It aims to find areas within your organization that need additional or more robust security and reduce risk within your company. Vanta's ISO Compliant Risk Management page shows what risk exists within your organization and tasks that need to be completed to improve your security posture.
Risk Management
Once you have identified and included risks for your company, they can be managed from the Risk Management tab. Here, you can review all of the risks that have been identified for your business. For risks with a risk score above an acceptable threshold, you can review and describe the risk treatment plan that will lower the likelihood and impact of the risk on your business.
Risk Distribution
- From the risk register page, you will see an automated chart detailing the risk distribution surrounding your company based on impact and likelihood.
Getting Started
- The Getting started widget will walk you through each step of Risk management within Vanta by selecting Show me how
Creating a Custom Risk Scenario
- You can also create custom risk scenarios from the risk register page by selecting + Custom Risk Scenario.
- Complete the pop-up modal with
- Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
- Category: The category of risk
- Likelihood: how likely it is that an intentional or accidental incident will occur based on this risk.
- Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
- Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if you have no existing actions that apply here.
- Select Create risk scenario
Risk Scenarios
- The chart at the bottom of the Risk Register page shows your organization's current risk scenarios will the following columns:
- Owner: Who is responsible for managing this risk scenario
- Category: Which category does this risk fall under
- Risk Score: Determined by threat likelihood x impact
- Treatment: How to protect your company from the threat from coming to fruition
- Residual Risk: Risk that will remain after your organization has applied the Risk Treatment
- Review Status: Status of review
- Risk scenarios can be edited directly by clicking on the line item and selecting Edit.
Create a Snapshot
- Snapshot records your risk assessment at a given point in time. It allows you to track the progress of your risk assessment and share your progress with auditors.
- Only approved risk scenarios will be added to the snapshot.
Viewing Saved Snapshots
- Saved snapshots can be viewed from History
- Download or Delete a snapshot from the top right-hand corner
Reviewing Risk
- Select review for the specific risk
- To edit a specific risk that has already been reviewed, select the options icon (...) and choose Edit.
- Review the risk scenario, and make any needed adjustments to likelihood and impact. Select Next
2. Define a risk treatment plan
- Manage the Risk
- Define the risk treatment plan by choosing how you would like to manage the risk
- Once the option has been chosen
- Detail the task
- Choose a due date
- Assign to a user
- Tasks
- Create a new task
- Describe the task and actions needed to implement the strategy
- Select a due date
- Assign to a user
- If multiple tasks are required, select Create task to add another.
- Create a new task
- Controls (optional): Add controls that will be implemented to mitigate the risk
- Select Add Control
- Choose the specific control
- Select Add
3. Estimate Residual Score
- Residual risk is the risk 'left over' after security controls and process improvements have been applied. A rough estimate is fine.
4. Assign an owner
- This person is responsible for approving and tracking the completion of any treatment actions for this risk.
Archive a Risk
Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario anytime in the future, and the tasks will be restored.
- Select the options menu from the risk
- Choose Archive
- Select Archive
Risk Identification
Vanta's Risk Library includes common categories of risk. From here, you can choose to browse through different categories, add any risks to your company's risk register and identify how likely they are to occur.
Identifying Risk
- Choose a category and select Browse.
- Once opened, all available risks will be available to view. The left-hand navigation will allow you to move between different risk scenarios within a specific category.
- Included: This risk was added to your registry.
- Excluded: This risk was excluded from your registry
- Not reviewed: The risk requires review for inclusion or exclusion
- If you want to include the risk in your registry, select Include. If you're going to exclude the risk from your registry, choose Exclude.
- If you choose to include risk, you will need to identify the following:
- Likelihood: how likely it is that an intentional or accidental incident will occur based on this risk.
- Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
- Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if you have no existing actions that apply here.
Adding or importing your own Risk Scenarios
If there are additional risk scenarios you would like to add to your registry, you can create your own.
- From the Risk Management Page, select Risk Identification, and choose to Add under Add your risk scenarios.
- Add: Complete the pop-up modal with
- Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
- Category: The category of risk
- Likelihood: how likely it is that an intentional or accidental incident will occur based on this risk.
- Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
- Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if you have no existing actions that apply here.
- Select Create risk scenario
- Import: Upload a .csv file with the following information
- The following columns will be imported:
- Risk Scenario
- Existing Controls
- Impact
- Likelihood
- Risk Treatment
- Residual Impact
- Residual Likelihood
- Choose if your risks are to be scored on a 1-5 scale
- While our risk assessment template scores impact and likelihood on a 1-3 scale, our risk management tool use a 1-5 scale. Select this option if you are already using a 1-5 scale. Otherwise, you will need to re-score your risks once imported
- Overwrite any existing risk
- Overwrite any risks with the same description. Select this option if you are re-importing risks.
- The following columns will be imported:
Risk Action Tasks
Tasks associated with approved risk scenarios are tracked in this tab.
- From here, tasks can be
- Marked as Complete
- Edited
- Filtered by Assignee
Creating Custom Risk Management Categories
- Under assessment, select Settings
- Select Add to create a custom category
- Enter the category name
- Select Add Category
- The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown
<%= heading %>