Risk Management Planning

Once selected the Risk Analysis in the initial list, you accede to the option ‘Planning of the Risk Management’.

This option is divided in two tables which show the following information.

List of items, assets and controls

It shows ‘by default’ the list of items, assets and controls which overcome the ARL and the associated controls. These are the tasks which can be performed on the table:

• Associate/Disassociate: It allows you to associate/disassociate one or several controls of the bottom table to the threat or threats you have selected. For this task you have to select the checkbox of the threat, select the checkbox of the control of the lower table and click on the button ‘Associate/Disassociate’.

• Display: It allows the user to do a filter of the list of assets/threats. These are the options:

  • Display All: It shows the complete list of assets and threats valued in the section ‘Risk Analysis’.

  • Overcome ARL: It shows the list of assets & threats that overcomes the ARL.

  • Acceptable Percentage: It shows the acceptable percentage of risks that are accepted in the organization. This parameter is configured in "Administration"

  • Display All (Without Control): It allows to visualize the complete list of elements, risks and controls, independently of the ARL

  • Without control: It allows you to view the complete list of assets and threats (regardless of the ARL which doesn’t have controls associated of the bottom table).

  • Without control overcomes ARL: It allows you to view in the list of assets which overcome the ARL and doesn’t have controls.

• Display dimensions: It allows selecting the quantitative / qualitative dimensions that will be shown in the table, for items, risks or controls

• Display Attributes: It allows selecting the textual dimensions that will be displayed in the table, for items, risks or controls.

• Download: You can download the list of assets and threats in an editable format (.docx)

• Dependencies: It shows the dependencies of the assets which you have selected.

• NRA: It reports about the ARL defined in the section ‘Risk Assessment’.

Treatment Plan

It shows the list of controls which have been defined for mitigating the threats which overcome the ARL in the top table. These are the options that you can perform on the table:

• Associate: It allows you to associate one or several controls to the threats which are listed in the top table. For this task you have to select the checkbox of the threat in the top table, select the checkbox of the control and click on the button ‘Associate’.

• New: When you click on this button you can insert a new control in the table. For defining the parameters of the new control you have to click on the name in the table and it will appear the following application form.

• Remove: When you click on the button ‘Remove’, you can remove a control defined in the table of Treatment Plan.

• Include implemented controls: It offers the possibility of inserting within the treatment plan controls already implemented in the organization, this option is available in "Controls Management" tab.

Ofrece la posibilidad de insertar dentro del plan de tratamiento controles ya implantados en la organización, disponibles en la opción "Gestión de Controles".

• Download: You can download the list of controls and associated actions in and editable format (.docx).

Edition of the Treatment Plan

The application form is divided in several sections and you can define the following fields:

General Data

• Name: It identifies the name of the control which will be displayed in the lower table.

• Control: It allows you to identify the control of the Statement of Applicability (SOA) on which is associated.

• Supervisor: It identifies the coordinator of the company for verifying the implementation of the control in the specified deadlines.

• Other Supervisor: It identifies the person in charge within the organization to verify the implementation of the control according to the defined deadlines, the supervisor can be defined in a textual way

• Resources: It allows you to identify the resources or departments of the company which will be involved in the implementation of the control.

• Term: It identifies the term on which it must be implemented in the organization.

• Associated Cost: You can define the cost of the implementation for the company

• Comments: It allows you to incorporate specific clarifications about the implementation of the control.

• Observations: It allows you to indicate any additional comment associated with the control.

General Valuation of the Control

It allows you to assess the dimensions of the control that have been configured to be displayed on the Control Panel. View Control Methodology.

Indicators of the Control

It allows you to associate one or several indicators defined in the section 'ScoreCard/Indicators'.

Actions associated with the control

It allows you to define the actions which are needed for the implementation if you click on the button ‘New’. This action generates a new entry in the table that allows you to define the following parameters:

• Name: It allows you to identify the name of the actions clicking twice on the cell.

• Supervisor: It identifies the supervisor or department inside the organization which is in charge for verifying the completion of the action in the specific term.

• Resources: It allows you to identify the resource or resources or departments involved in the realization of the action.

• Deadline: It identifies the deadline on which the action must be completed. This deadline must not be higher than the deadline of implementation of the control.

In case you want to remove an action, you have to select the row or rows and click on the button ‘Remove’.

Threats with the control associated

It shows the list of threats of the top table on which the control is associated. For dissociating the threat to the control, you have to select the row or rows and click on the button ‘Dissociate’.

In case the control methodology used is "By Threat" type, for each threat, it will be possible to review and modify the effectiveness evaluation that the control has, as well as to modify it. The "By Threat" check will be set to 'Yes' when the evaluation is specific to that threat, or otherwise it will appear as Threats that do not have specific assessment and they will be applied the general assessment of the control.

Proposed Assets

It shows the list of assets which will be affected indirectly by the control. These assets are those on which depends on the asset or assets identified in the section ‘Threats with the control associated’. The dependencies are defined in the section ‘Analysis/Assets Inventory’.

Evidences associated with the control

It allows you to associate evidences to the treatment plan (or control) you are being defined. For this task, from the button "Associate Evidence" you access to a popup window which contains all the evidence recorded in the "Evidence Management" of the "Analysis" menu. It allows you to associate one or several evidences of the list.

Proposed Controls

GlobalSUITE offers the possibility of having a catalog of controls which you associate the threats of the top table, and it allows you to do the following actions:

• Associate: It allows you to associate one or several proposed controls to the threat or threats listed in the higher table. For this task you have to select the checkbox of the threat in the higher table, select the checkbox of the control and click on the button ‘Associate’.

When you associate the control, it will be shown the table with the Treatment Plan.

• Category: It allows you the list of proposed control by categories. The list of controls can be defined in ‘Administration/Analysis Catalog’.

• Threat: It allows you to show the list of the proposed controls by threats. The list of controls can be defined in ‘Administration/Analysis Catalog’.