This topic provides orientation on the analysis phase of the risk management process. In this version of the system, risk management processes are handled within a single project, and the analysis phase is also the only phase to have both a start and end date.
In this phase, the system offers a set of functions to automate and manage analyses to identify risks and vulnerabilities within the scope specified in the inventory phase. The questionnaires, interviews, and automated collectors used can be monitored in this phase, as well as reports on the results.
For control-based scopes, it is important to understand that controls can be answered using information provided by analysts, interviewees/reviewers, and automated collections. However, the system will only consider the most recent answers provided. For example, consider that the answer an interviewee provided in an interview changed the status of a certain control when the interview was submitted. Later, an analyst manually changed the status of that same control in the questionnaire while an automated collection was taking place. When the automated collection finished, that same control was answered a third time. In this case, the system will overwrite the answers provided by the interviewee and the analyst, and consider that of the automated collection.
In projects using vulnerability-based scopes, the technology assets selected in the inventory phase are listed in the analysis phase. To view the latest information on the vulnerabilities associated with these assets, the list of assets must be processed. The most recent information is obtained either through scans performed by the scanners integrated with the system, or through spreadsheets, which are manually completed and imported by users. Once the list of assets has been processed, the Risk Score will be calculated or refreshed for each vulnerability, and then consolidated for each asset.
To streamline the risk management process, you can manually close any analysis of a questionnaire or of asset vulnerabilities individually. Then, if at least one non-implemented control or vulnerability is identified, the evaluation phase can begin.
Lastly, it is important to note that the entire analysis phase must be closed before you can close the project itself.