This topic explains how to define the scope of the project, which is essentially the analysis plan for the project. It is here that the asset components, previously registered in the Organization module, are selected to be analyzed. This phase is the basis of the project. It is here that you can determine which of the organization’s assets can be verified and considered in the calculation of the results presented during and at the end of the analysis, on which all subsequent measures of the risk management processes will be based.
The scope of a project may be control-based, vulnerability-based, or both. The first will analyze asset components by verifying the knowledge bases containing controls (good practices) that were associated with them. Questionnaires are based on these knowledge bases that were previously registered in the Knowledge module. If the controls listed in them are implemented, the risk is low and vice-versa. In addition to questionnaires, interviews can be generated based on risk surveys also previously created in the Knowledge module. Risk interviews consist of a series of questions, some of which can be used to answer controls from a certain knowledge base automatically. Lastly, automated collectors can be used to automatically answer controls. Questionnaires thus allow the existing risk level in the organization’s assets to be assessed. Asset components from a specific asset, from a set of assets from the same perimeter, from an entire perimeter, from several perimeters, or all asset components in the organization can be included in the scope.
The scope of vulnerabilities differs in that technology assets to which vulnerabilities have previously been mapped are included in the scope. These vulnerabilities are identified by external scanners for IT devices and are automatically or manually mapped to their corresponding assets in the organizational structure. When these assets are included in the scope, their associated vulnerabilities are brought along with them. Project leaders can decide whether to accept or treat these vulnerabilities, and the normal risk management cycle continues from there. For details on integration tasks to automatically import and map vulnerabilities from scanners supported by the system to assets, see Chapter 17: Administration -> Integrations -> Integration Tasks. For details on importing vulnerabilities to the catalogue, see Chapter 8: Knowledge -> Risk Knowledge -> Catalogue of Vulnerabilities. Lastly, for details on manually mapping vulnerabilities from scanners not supported by the system to assets, see Chapter 5: Risk -> Vulnerability Occurrences.