Andrew on InfoSec GRC

Creating Risk Management objects

Written by

Andrew Zancenko

in

For “Simple GRC” I’ve defined Libraries, Library Objects and Requirements. These records will allow to create a simple logical approach to all GRC objects,. This is outlined in my other post Building the Foundations: Libraries, Objects, and Requirements in Simple GRC

Example: “Authority -> NIST CSF -> Asset Management -> Physical devices and systems within the organization are inventoried” structure would be easy to implement. It can also be used for risks, controls etc.

Now I need to define Risk Management structure where I can setup Risk Management Activities such as Assessments, Issues etc. and connect those specific activities to Libraries.

This part is work in Progress

Risk Management Should exhibit similar functionality to Libraries and Objects:

Allow to create multiple risk management areas. Examples:

  • Assessments area as Level-1
    • Specific Assessments As Level-2
  • Issue Management area as Level-1
    • Specific Issue as Level-2
  • Control Testing area as Level-1
    • Specific testing objects as Level-2

Each Level-2 should have a type, unique to the Level-1 area they belong to.

The tricky component is to account to variation in functionality each Level-1 and Level-2 should exhibit. Since I would like to approach Simple GRC in most generic way possible, I would need to be able to allocate Risk Management functionality to any Risk Management Object

For an instance, let’s look into obvious use cases

  • Level 2 Assessments records should have an ability to assess processes and controls related to them.
    • I don’t have ability to map objects, although it is planned functionality.
  • Level 2 Issues records
    • Should have the ability to be mapped to GRC Libraries and Objects and requirements for reference
    • Might have different fields required
    • Issues should contain Actions – I need to be able to figure out the way to assign action plans within an issue.
      • Should I have another Level-2 called action plans and have issues and actions related?
      • Action Plans might also have relation to GRC Libraries and Objects and requirements
  • Level 2 Control Testing records
    • Need to have the ability to assign controls from GRC objects and save testing results.
    • Would be great if user could select the list of GRC objects and it would allow to populate the rest of different GRC objects as a result of existing mappings.
  • Level 2 Attestations records
    • This functionality would create a record that might contain a survey.
    • Surveys can differ and should be sent a specific recipient that can open the survey and respond to it.
    • Surveys might contain the list of controls that require attesting
  • Level 2 Security Projects
    • This functionality will list projects, their priority and status of each project.

Primary Question: should I try to standardize all risk management areas under the same umbrella to try to deduct the common functionality for each use case with the goal of consolidating and simplifying creation of Risk Management areas?

After careful analysis, I decided to go with the hardcoded modules for risk management. This is the result of unnecessary complexities involved in ‘free-crating’ modules on the fly.

Assessments Module (level1)

Allow to set assessment types

Allow to allocate custom fields for Overall Assessments or for specific assessment types

Allow to create assessments (level2)

Allow to add in tree format:: Any Library Object (parents and/or children

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts