Hornbill evaluates strategic and operational risks on an ongoing, 'as necessary' basis. This approach recognises the rapid evolution and fast changing nature of the business. Risk assessments are carried out whenever there is a change to any of the Assets (e.g. addition or removal of assets), to the scope of the Information Security System, changes to code or to the risk environment. The impact that might result from each threat-vulnerability is defined as part of the risk assessment methodology as the value of the Asset which the threat-vulnerability combination would exploit and this figure is held for each attribute within the Risk assessment spreadsheet. The realistic likelihood that each of these failures might occur is assessed using the likelihood scale from risk The risk levels are then automatically calculated, for each risk and shown in the Risk Rating column for that asset.
Any residual risks must get management approval.
All software\hardware is assessed and all current vulnerabilities identified using various sources (Vendor information, CVE lists\NIST Lists and inhouse testing) on weekly basis (CVE critical on daily basis).
Any criticals are either resolved\patched or mitigated by process within 12 hours, High within 48 hours, medium within 1 week and Low within 1 month.
Criteria for Review & Prioritization include (Not Limited to)
- Whether effected software/hardware is installed\used and to what level
- Whether vulnerability can be exploited (Does it require access via locked down ports etc).
- Is the vulnerability mitigated by any other process\policy or standard operating procedures.
- How practical is the vulnerability exploit. Is it proof of concept.
- Whether other means have been taken to prevent exploit
All Outcomes of review to be records in weekly security incident call logged within Hornbill client and actions taken to address any outcomes.