Difference between revisions of "ISO:Risk Management"
Jump to navigation
Jump to search
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | This document can now be found at its new location in the [https://docs.hornbill.com/hornbill-cloud/iso/risk-management/ Hornbill Document Library]. | ||
+ | |||
+ | [[file:hornbill-document-library.png|Hornbill Cloud|link=https://docs.hornbill.com/hornbill-cloud/iso/risk-management/]] | ||
+ | |||
+ | <!-- | ||
== Risk Management == | == Risk Management == | ||
− | Hornbill evaluates strategic and operational risks on an ongoing, 'as necessary' basis. This approach | + | Hornbill evaluates strategic and operational risks on an ongoing, 'as necessary' basis. This approach recognizes the rapid evolution and fast-changing nature of the business. |
− | Risk assessments are carried out whenever there is a change to any of the Assets (e.g. addition or removal of assets), to the scope of the Information Security System, changes to code or to the risk environment. | + | Risk assessments are carried out whenever there is a change to any of the Assets (e.g. addition or removal of assets), to the scope of the Information Security System, changes to code, or to the risk environment. |
− | The impact that might result from each threat | + | The impact that might result from each threat vulnerability is defined as part of the risk assessment methodology as the value of the Asset which the threat-vulnerability combination would exploit and this figure is held for each attribute within the Risk assessment spreadsheet. |
The realistic likelihood that each of these failures might occur is assessed using the likelihood scale from risk | The realistic likelihood that each of these failures might occur is assessed using the likelihood scale from risk | ||
The risk levels are then automatically calculated, for each risk and shown in the Risk Rating column for that asset. | The risk levels are then automatically calculated, for each risk and shown in the Risk Rating column for that asset. | ||
Line 11: | Line 16: | ||
==Vulnerability Management== | ==Vulnerability Management== | ||
− | All software\hardware is assessed and all current vulnerabilities identified using various sources (Vendor information, CVE lists\NIST Lists and inhouse testing) on | + | All software\hardware is assessed and all current vulnerabilities identified using various sources (Vendor information, CVE lists\NIST Lists, and inhouse testing) on weekly basis (CVE critical on daily basis). |
− | Any criticals are either resolved\patched or mitigated by process within 12 hours, High within 48 hours, medium within 1 week and Low within 1 month. | + | Any criticals are either resolved\patched or mitigated by the process within 12 hours, High within 48 hours, medium within 1 week, and Low within 1 month. |
Criteria for Review & Prioritization include (Not Limited to) | Criteria for Review & Prioritization include (Not Limited to) | ||
− | #Whether | + | #Whether affected software/hardware is installed\used and to what level |
#Whether vulnerability can be exploited (Does it require access via locked down ports etc). | #Whether vulnerability can be exploited (Does it require access via locked down ports etc). | ||
#Is the vulnerability mitigated by any other process\policy or standard operating procedures. | #Is the vulnerability mitigated by any other process\policy or standard operating procedures. | ||
− | #How practical is the vulnerability exploit. Is it proof of concept | + | #How practical is the vulnerability exploit. Is it proof of concept? |
#Whether other means have been taken to prevent exploit | #Whether other means have been taken to prevent exploit | ||
All Outcomes of review to be records in weekly security incident call logged within Hornbill client and actions taken to address any outcomes. | All Outcomes of review to be records in weekly security incident call logged within Hornbill client and actions taken to address any outcomes. | ||
+ | --> | ||
+ | [[Category:HDOC]] | ||
+ | |||
+ | <!-- hornbill-cloud/iso/risk-management --> |