In this phase, the risk treatment events generated in the evaluation phase can be monitored as to their status and progress. Note that these events can only be managed in the Workflow module by authorized users. This tab is only enabled after at least one non-implemented control or one vulnerability has been sent for treatment in the evaluation phase.
Here you can also view a table and a graph from the evaluation phase comparing the project phases, where the risk metrics and statistics are indicated (see figure below).
In this table, you can check the indicators for not evaluated, accepted, being treated, treated, and controlled risks. You can also view the Residual Risk for the project, which is the percentage of risks that are still present, taking into account those that have not been evaluated, those that have been accepted, and those that are still being treated. The more risks are treated, the lower the Residual Risk and the closer this number will approach the Residual Goal – the ideal objective to be reached when all the risks are eliminated, if this proves to be possible.
For example, in the table in the figure above, there are 21 not evaluated risks, 11 accepted, and 5 being treated. The sum of the Risk Index for these is 30.6% and the Gap Index is 30.5%.
In the treatment phase, this same graph also displays information on risks treated. In the example below, risks being treated dropped to 3.5% and the treated risks increased to 6. Thus, the Residual Risk Index increased to 31.6% and the Residual Gap Index stayed at 30.5% (see figure below). If all the risks being treated are eventually treated, the Residual Risk and the Residual Goal will be equal.
Below this chart are two tabs, the first listing all the risk treatment events generated through the project for both non-implemented controls and vulnerabilities. The second tab lists all the vulnerabilities being treated with their associated treatment events.
In the case of vulnerabilities that were imported through one of the four available integration tasks, notifications may be displayed if the vulnerabilities for which treatment events were generated were not identified in the most recent scans. These notifications must be enabled when the integration tasks were created. If the vulnerabilities were not identified in the most recent scans, a notification will appear when the project is opened by any user with permission to do so, and, until it is discarded, will remain visible to all users who access the project (see figure below). The person assigned as project leader will also receive a notification in the Home module, and additional notifications will be displayed in the Progress and Associations tabs of the events created to treat the vulnerabilities in question.
These notifications will also be generated when an asset in the scope of the risk project is removed from the scope of a scan or from an XML file to be imported. This occurs because the vulnerabilities identified for that asset are no longer found, not necessarily because they do not exist but because the asset is no longer being analyzed by the scanner in that particular report. If the assets or vulnerabilities were purposely removed, the scan report or XML file should be renamed to prevent notifications from being generated erroneously. In addition, if different credentials or a different policy is used to access and scan the assets, this could prevent certain vulnerabilities from being again identified and generate erroneous notifications.