Risk: The Analysis Phase

This topic provides orientation on the analysis phase of the risk management process. In this version of the system, risk management processes are handled within a single project, and the analysis phase is also the only phase to have both a start and end date.

In this phase, the system offers a set of functions to automate and manage analyses to identify risks and vulnerabilities within the scope specified in the inventory phase. The questionnaires, interviews, and automated collectors used can be monitored in this phase, as well as reports on the results.

For control-based scopes, it is important to understand that controls can be answered using information provided by analysts, interviewees/reviewers, and automated collections. However, the system will only consider the most recent answers provided. For example, consider that the answer an interviewee provided in an interview changed the status of a certain control when the interview was submitted. Later, an analyst manually changed the status of that same control in the questionnaire while an automated collection was taking place. When the automated collection finished, that same control was answered a third time. In this case, the system will overwrite the answers provided by the interviewee and the analyst, and consider that of the automated collection.

In projects using vulnerability-based scopes, the technology assets selected in the inventory phase are listed in the analysis phase. To view the latest information on the vulnerabilities associated with these assets, the list of assets must be processed. The most recent information is obtained either through scans performed by the scanners integrated with the system, or through spreadsheets, which are manually completed and imported by users. Once the list of assets has been processed, the Risk Score will be calculated or refreshed for each vulnerability, and then consolidated for each asset.

To streamline the risk management process, you can manually close any analysis of a questionnaire or of asset vulnerabilities individually. Then, if at least one non-implemented control or vulnerability is identified, the evaluation phase can begin.

Lastly, it is important to note that the entire analysis phase must be closed before you can close the project itself.

 

More:

Overview of Questionnaires

How to View a Questionnaire

How to Answer a Questionnaire

How to Answer a Questionnaire Offline through Excel

Overview of Automated Collections

How to View the List of Automated Collections

How to Request Remote Automated Collections

How to Import the Results of Local Collections

How to View the Results of an Automated Collection

How to Cancel Automated Collections

Overview of Interviews

How to Send an Interview

How to Notify an Interviewee on a Pending Risk Interview

How to Change the Interviewee or Reviewer of a Risk Interview

How to Cancel an Interview

How to Download Documents for Risk Interviews

Overview of Reviews

How to Assign a Reviewer to an Interview

How to Request a Review for an Interview

How to Notify a Reviewer on a Pending Risk Review

How to Change a Reviewer

How to Cancel a Review

How to Download Documents for Reviews of Risk Interviews

Overview of Vulnerabilities

How to Process the List of Assets

Overview of Monitoring

How to Close a Questionnaire

How to Reopen a Questionnaire

How to Close the Analysis of Asset Vulnerabilities

How to Reopen the Analysis of Asset Vulnerabilities

How to Close the Analysis Phase

How to Reopen the Analysis Phase

Overview of Risk Reports

How to Generate a Risk Report through a Project

How to Schedule Delivery of a Risk Report

How to Delete a Scheduled Risk Report