This chapter provides orientation on managing asset risks through the Risk module.
Risk management is a process that essentially aims at minimizing, monitoring, and controlling the probability and the impact of undesirable events, or maximizing opportunities – in other words, managing the risk of something happening, be it positive or negative. The sources of risks are varied, ranging from uncertainty in the financial markets, flaws in project designs, legal liabilities, credit-related events, accidents and natural disasters, to deliberate attacks that aim at causing losses of any nature. The Risk module provides managers with an effective way to implement this process in their organizations. It is fully integrated with the Organization, Knowledge, Dashboard, Workflow, and Administration modules:
•The Risk module analyzes assets and assets components registered in the Organization module. Consolidated metrics resulting from risk projects can later be viewed in the Organization module.
•The Knowledge module is where knowledge bases and surveys are prepared and stored, which are used in risk projects.
•Metrics resulting from analyses in the Risk module are available through charts created in the Dashboard module.
•Events created to treat risks identified through projects are managed through the Workflow module. Project statistics are updated as these events are updated and closed.
•Configurations for risk projects are managed through the Administration module, including:
o Registration of collector servers used in automated collections.
o Registration of credentials used to access assets to be analyzed through automated collections.
o Configurations for the app that can be used to answer questionnaires through mobile devices.
o Customization of the scale used for risk metrics, including the different levels for each metric and the colors and descriptions for each level.
o Customization of message templates used to send e-mail notifications related to risk projects.
o Customization of project settings – such as whether interviews will be sent manually or automatically to reviewers, the justifications available when accepting risks, and more.
o Customization of default access control settings, determining which system privileges project leaders and analysts will have access to.
This module and its documentation are divided into four sections:
•Risk Management Projects: where you can manage projects to analyze the organization’s risk levels.
•Risk Queries: where you can query risk indicators resulting from the projects.
•Vulnerabilities: where you can map vulnerabilities from the catalogue to technology assets in the organizational structure, which can then be analyzed in risk projects.
•Risk Reports: where you can generate and customize risk analysis reports.