RiskAnalysis
The risk analysis allows you to assess the threats which affects to each one of the assets. When you accede to this option, it appears a table with the following information:
Asset: It indicates the name of the asset. These assets are defined before in the section ‘Analysis/Inventory’ and which have been selected in the previous previously.
Category: It shows the category assigned to the asset.
% Complete: It shows the percentage of completeness for the dimension defined. The number of the dimensions valuated for this asset & the total number of dimensions is indicated in brackets
Proposals: It indicates if the asset has included the set of proposed threats associated with the risk analysis. If you require to propose threats of the catalogs for one or several assets, you can click on the tag (Yes) of each asset and change the value to ‘No’. Therefore, the platform will propose threats for the assets that they have the column with the value ‘NO’ when you click on the button ‘Propose Threats’.
The actions which GlobalSUITE allows you to perform on the Asset List:
Sort by: It allows you to order the list of assets according to the value of one dimension (higher or lower).
Add/Propose Threats: When you click on this button, GlobalSUITE loads automatically a threat list and vulnerabilities to the assets according to the category which has been defined.
Add Threats:When you click on this button, the tool includes in the assets with the column 'Proposals' to No, the new threats and vulnerabilities that have not already applied in the analysis.
Propose Threats:When you click on this button the tool includes to the assets with the column 'Proposals' to No, all the threats in the analysis catalog that correspond to its category.
Add/Associate Controls: It automatically loads a list of controls into the analysis and applies them to the threats according to the configuration of the analysis catalog.
Propose & Associate Controls:When you click on this button, the tool allows you to include in the analysis the new controls of the catalog that are not already applied, and associates them with the existing threats according to the correspondence of the catalog.
Associate Controls:When you click on this button, GlobalSUITE associates the existing controls in the analysis with the threats of assets based on the relationship in the catalog.
NOTE: The threats list and vulnerabilities can be defined in the section ‘Administration/Analysis Catalog’.
Options - Copy Risks: It allows you to copy threats, vulnerabilities and valuations from one asset to another.
For copying you have to select the asset which you want to duplicate in the left column, define on which asset of the column you want to duplicate the same threats, vulnerabilities and valuations and click on the button ‘Copy’.
Options - Related Risks: It allows you view the related threats of one specific asset. The related threats are formed by threats of the own asset and the threats of the dependent assets (according to the dependencies established in the section ‘Inventory’.
Options - Calculate RA: It calculates all the assessments and modifications that have been made on the risk analysis. If a modification has been made in the risk analysis methodology, this option allows you to calculate the new values applying the new methodology.
Options - Calculate Global Risk by Asset: It performs the Global Risk calculation for each asset. The criterion used to obtain the Global Risk by Asset is defined in the section 'Risk Analysis - General Information' explained in the previous section.
Options - Calculate Global Related Risk by Asset: It performs the calculation of the Global Related Risk by Asset. The criterion used to obtain the Global Related Risk by Asset is defined in the section 'Risk Analysis - General Information' explained in the previous section.
Options - Calculate Global Risk by Analysis: It perform the calculation of the Global Risk by analysis. The criterion used to obtain the Global Risk by Analysis is defined in the section 'Risk Analysis - General Information' explained in the previous section.
Options - Surveys Results: It allows you to accede to a screen to consult and manage the results obtained in the risk surveys conducted. To accede to the screen, you have to select the asset to be managed. The explanation of this option is detailed in the following section, after the explanation of all the options available in the risk analysis option.
Options - General Assessment: It allows you to accede to a table to perform the general assessment of threats/risks according to the category of the asset where they are associated. The explanation of this option is detailed in section 6.3.2 (after explaining the survey results screen).
Options - Clean Risks: The risks that do not coincide, by name, with the risks of the catalogs currently included in the analysis are removed.
Once you click on the asset link a table with the following information is displayed:
Threat: It indicates the name of the threat to value. The threats are events which can start an incident in the organization and these threats can produce material or intangible damages in your assets. The field is customizable if you click twice on the cell.
Vulnerability: It indicates the vulnerability which the asset has and it can be triggered. The field is customizable if you click twice on the cell.
Comment: It allows you to write additional information about the threat.
Supervisor: It allows to define the person in charge of the risk, among all the employees.
Dimensions: According to the methodology associated with the Risk Analysis (Risk Analysis/General Information) it will be loaded all the dimensions associated and which have been defined in the section ‘Administration/Analysis Methodologies’.
NOTE: You can view all the list of dimensions or select those dimensions which more information may give to the user. For this task you have to click on the line with the right button and select the dimensions with the checkbox.
2º NOTE: According to the methodology defined in the section'Administration/Analysis Methologies, the valuations can be qualitatives and quantitatives.
In relation to the established dimensions, GlobalSUITE offers useful information in establishing valuations according to the dimension.
The following information is provided:
Help: It provides additional help for valuating threats through a deeper description. This help text can be defined in the section ‘Administration/Analysis Catalog’.
Dimension: It allows you to select the required dimension in the drop down menu.
Level: With regard to the selected dimension, this option offers the possibility of selecting the associated levels on which they are defined in the section ‘Administration/Analysis Methodologies’.
Description: According to the dimension and the level selected in the previous sections, the platform reports the user of the established criteria in the selected level. The description can be parameterized in the option ‘Administration/Risk Analysis Methodologies’.
NOTE: The description of dimensions can be also viewed if you click on the desired cell of the inventory, the platform will show the specific description according to the dimension and associated level.
GlobalSUITE allows you to perform the following options in the threat table:
New: It allows you to insert a new line in the table; you can define the name of the threat, vulnerability, etc.
Remove: It allows you to remove one or several threats. For this you have to select the row or rows and click on the button ‘Remove’.
Back: GlobalSUITE returns to the previous screen.
Download: It allows you to download the Threat list in an editable format (.xls) or in PDF.
Associate Supervisor: It allows to define the person in charge of the risk, among all the employees. To define a supervisor, it is necessary to select the threat to be assigned, and click on the button. When doing so, the list of Employees will be displayed and it will be possible to define the one that is desired, or if necessary, to eliminate the person in charge, the "Clear field Employee" button have to be clicked.
Recover threats: It allows you to insert one or several threats defined before in the section ‘Administration/Analysis Catalog’. When you click on the button, it appears a list with all the threats which are defined and stood out in red and those threats which implement the assets by the category.
For inserting new threats you have to select them and click on the button ‘Add Threats’.
NOTE: When you click on the button ‘Propose Threats’ developed before, it appears in red the threats that have been stood out before.
Historical Versions: It allows you to view a historical version of the threats you have selected.
Calculate Risk Analysis: It allows you to calculate all the valuations and modifications which have been done on the Risk Analysis.
NOTE: The calculation can be longer or shorter according to the number of assets and variables of the Dependecies Tree.
Consolidate Surveys: This option allows the user to modify the valuations of the threats of one assets according to different surveys performed (Assets & Risks type). The development of this option is detailled in the option 'Manage surveys' of the Risk Analysis.
The lower part of this section shows a summary of the asset and threat which are selected in the top table. You can visualize the following sections:
Analysis
The current section allows you to view and to establish the valuations of threats by the selected asset. This valuation is the same that is indicated on the table but it's viewed in a form.
Treatment Plan Controls
It offers the possibility of viewing the Treatment Plan Controls (Analysis/Risk Management) which have been associated to this specific threat. You can view its name, the supervisor of the implementation, its resources (technical and human), costs and the implementation term.
Implemented controls
This section allows you to associate the controls which are already implemented in the organizationto a specific threat. This is the information that offers the table for each one of the controls:
Name: It identifies the name of the implemented control. You have to click twice on the cell for modifying it.
Type: It allows you to view its typology.
Supervisor: It identifies the supervisor of the control implementation
Resources: It offers the possibility of defining the resources (technical or human) which you have had for the control implementation.
Term: It identifies the date on which the control has been implemented in the organization.
Cost: It allows you to identifies the economical cost which the control implementation has led in the organization.
By threat: It offers the possibility of viewing if the valuation of dimensions is global for all threats ('No' status) or if the valuation of the control has been modified specifically for the selected threat in the top table ('Yes' status).
Dimensions: According to the Controls Methodology which have been established, it allows you to valuate different dimensions defined on a control.
You can carry out the following actions in the table:
New: It offers the possibility of inserting a new entry in the table which will define new controls to a specific threat.
Disassociate : It allows the users to remove a control associated with a specific threat. For this task you have to select the row and click on the button 'Disassociate'.
Associate controls: It offers the possibility of associating a threat with a control implemented in the organization. When you click on the button it's shown the list of th controls defined in the section 'Analysis/Controls Management' for associating them with the selected threat.
Restore valuation: In case the control has been valuated specifically for the selected threat, the current option allows the user to restore the control valuation according to the data defined in the section 'Analysis/Controls Management'.
Download: You can download the list of controls in editable format (.xlsx) or PDF.
Show: It offers the possibility of changing the view that allow the displaying of the controls. You can select the view that allows to see the indicators associated to each one of the controls.
Indicators
This tab allows you to set the Key Risk Indicators or KRI each of the risks of Risk Analysis. As in the above options, firstly you must click on the risk and after that you can associate the Key Risk Indicators. The information provided by the table for each of the indicators is as follows:
Name: It identifies the name of the indicator. You can access to the complete information of the indicator clicking on the name.
Supervisor: It identifies the supervisor associated with the indicator.
Frequency: It identifies the assessment frequency of the indicator.
Status: It identifies the status of the indicator based on the Balanced ScoreCard methodology that is defined. (Only available in GlobalSUITE® Balanced ScoreCard).
Trend: It identifies the trend of the indicator based on the Balanced ScoreCard defined. (Only available in GlobalSUITE® Balanced ScoreCard).
Last value: It identifies the last value obtained in the assessment.
Date of Last value: It identifies the date of the last assessment of the indicator.
Entre las acciones que permite realizar la tabla están las siguientes:
Associate: It provides the ability to associate one or more indicators previously registered in the "Indicators" option of the tab: "ScoreCard". Clicking on the button, GlobalSUITE displays the list of indicators. You must select indicators you want to associate and click on the "Associate Indicators" button.
Disassociate: It allows users to remove the link between the indicator and risk. To do this, you have to select the row you want and click on the 'Disassociate' button.
Download: It offers the possibility of downloading the list of KRI in editable format (.xlsx) or in .PDF.
Survey results
The current option allows you to view the valuation of the assets which have been performed in the different surveys (Assets and Risks). You have to select an asset of the table for accessing to this option.
Once you have accessed to the option, it appears the following table:
Threat: It indicates the name of the threat.
Vulnerability: It indicates the vulnerability associated with the threat.
Comment: You can add any comment about the analysis of the threat in this field.
NOTE: The previous columns can be considered according to the columns proposed by default. The columns are configurable in the methodology of risk analysis.
Status: Indicates the status of the survey.
Consolidated: Shows whether the survey has been consolidated or not. By default, surveys that have not been consolidated are displayed.
Dimensions: It displays the value registered in each one of dimensions or variable which have been considered in the risk analysis.
These options are allowed in the platform:
Add New: It allows you to insert new threats which have been identified in the risk analysis of the asset. New threats are shown in green, and the platform allows you to select what threats you have to add and what threats you don’t have to.
Consolidate: It allows the consolidation of the different assessment performed on the same threat in different surveys, you can use several options of consolidations: Maximum (higher valuation), Minimum (lower valuation) and Arithmetic mean (the average of different valuations). This option modifies the valuations of threats of the asset.
Consolidate Controls: It enables the consolidation of the controls recorded and assessed which are associated with a threat. You can use multiple consolidation options: Maximum (record the highest rating), Minimum (recording the lowest rating) and Arithmetic Mean (average registration between different assessments). This option modifies the assessments of the controls associated with each threat.
Calculate RA after consolidation: This field is used to select whether, after the consolidation of the selected surveys, all the automatic dimensions of the analysis are recalculated, by default it is checked. Since this process can take several minutes, you can uncheck it to perform various consolidations and recalculate the risks at the end.
Back: It allows you to return to the list of assets of the risk analysis.
Show: Show all the risk surveys for the selected item, or only those that are pending consolidation.
Download: You can download the information of the surveys in an editable format (.xlsx) or in PDF format.
Under the above table, it’s displayed a table that allows the consolidation of the controls registered for each of the active threats. To consolidate controls of a threat, first you have to select the specific threat in the above table.
The columns of the table coincide with the configured dimensions for performing the controls assessment. These are the options that allows the platform:
Add New: It allows you to insert new controls that have been identified in surveys in the risk analysis of the threat. The new controls identified are highlighted in green, and GlobalSUITE lets you select what to add or not to add.
Consolidate: It enables the consolidation of the controls recorded and assessment which are associated with a threat. You can use multiple consolidation options: Maximum (record the highest rating), Minimum (recording the lowest rating) and Arithmetic Mean (average registration between different ratings). This option modifies the assessments of the controls associated with each threat.
Calculate RA after consolidation: This field is used to select whether, after the consolidation of the selected surveys, all the automatic dimensions of the analysis are recalculated, by default it is checked. Since this process can take several minutes, you can uncheck it to perform various consolidations and recalculate the risks at the end.
Download: It allows you to download in an editable file (.xlsx) or .PDF the information shown in the management table.
General Valuation of Risks
This option allows you to perform a general valuation of the threats/risks that are included in the risk analysis. For this task, you can valuate different threats and apply the result to the different assets that have the threat. The selection of assets, where it's applied the threat valuation, is performed at the category level, in this way if I associate a threat to a specific category, you can apply to all assets belonging to that category.
Once you have accessed to the option, GlobalSUITE shows a table with the threats that the user want to valuate in a general way. For each one of the included threats it's necessary to indicate the related category or categories so that the threats will be included or updated in the assets of the categories listed. This table displays different manual dimensions which have been configured in the risk methodology with the objective of allowing their valuation.
These are the options you can perform on the table:
Recover Threats from the Catalog: This option allows you to select a set of threats of the catalog of risk associated with the risk analysis. All threats selected of the catalog are included in the main table with the objective of evaluating the dimensions of the methodology (probability, impact, etc.)
Recover Threats from the Catalog: This option displays those threats that have been added to the risk analysis (additional threats of the associated catalogs). All threats selected of the catalog are included in the main table with the objective of evaluating the dimensions of the methodology (probability, impact, etc.)
Add: This option allows you to add threats on the table, these threats are additional to the threats included in the catalog or risk analysis (through the button previously explained).
Remove: This option allows you to remove threats of the table. For this task, you have to select the threats through the check located on the left and click on the button 'Remove'.
Select categories: This option allows you to associate categories of assets with a threat you have selected on the table. This option allows you to indicate each threat to the specific asset category that we want to apply to the valuation, so the assets, which have defined the categories, will receive the general valuation of the threat.
Fields: This drop down list displays the fields of the risk methodology. It has the objective of selecting on which fields we compare for applying the valuation of threats. By defualt, it's always selected the main field of the methodology (the field 'threat' or 'risk' usually).
Apply - All Threats: This option allows you to apply the valuation of threats to all assets that have a category associated with the threat. For this task, you have to select the threats you want to apply (mark the check on the left side) and click on the specific button. GlobalSUITE will display a confirmation window for the user and it will decide if it wants to generate a record of the risk analysis before the new valuation. It also displays a windows if you want to create threats in assets that do not have associated.
Apply - All assets without valuation: This option allows you to apply the valuation of threats to all assets that have any category associated with the threat. In this case, it will be only performed in those threats that are not evaluated. For this task, you have to select the threats you want to apply (mark the check on the left side) and click on the specific button. GlobalSUITE will display a confirmation window for the user and it will decide if it wants to generate a record of the risk analysis before the new valuation. It also displays a windows if you want to create threats in assets that do not have associated.
Back: This button allows you to return to the main screen of the risk analysis.