Security Risk & Controls Framework

Standards based Risk Management Framework that underpins a SOC2 compliant Risk Assessment Tool

For Business

Personal

Our Solution

A Risk Assessment Tool for business and personal use

Our mission is to make it easier to follow a Secure by Design process by enabling teams to assess security risks in a consistent, robust and repeatable way for every type of IT project starting at project inception.

Find out more

The purpose of the IT Controls Framework is to provide a structured and reasoned way of identifying, rationalising and measuring the effectiveness of security controls across your enterprise. The IT Controls Framework consolidates multiple best practice industry frameworks and standards (NIST CSF, ISO27001, NIST 800-53 and COBIT 5) and relevant regulations/laws in a way that enables future-proof decision-making and the ability to mature your security function.

This framework underpins a Security Risk Assessment and Management Tool that consistently helps to identify and manage security risks. The tool includes an assessment questionnaire to guide the user through each stage including, when appropriate, a Data Privacy Impact Assessment (DPIA). Once all required inputs are gathered, the tool issues a set of information security controls to be met by the project, together with an inherent risk score and DPIA, if required. The inputs and outputs of the assessment are contained in an Excel workbook with tabs for each aspect of the assessment. This includes all required information supporting each security control, acceptance criteria, evidences required and the size of the evidence effort.

When to use

There are three main risk assessment triggers

New assets or projects
Scope expansion
Periodic re-assessment

These triggers together with threat and vulnerability ratings of assets feed into the risk assessment

The output updates the risk register and formalise risk treatment

Risk Management Framework

Aligned to multiple industry best practice standards and NIST RMF

There are 7 stages in the NIST RMF:

Prepare
Categorise system
Select controls
Implement controls
Assess controls
Authorise system
Monitor controls

Capability Model

Risk assessment is part of a wider strategy, governance model and risk management lifecycle

The capability model shows the wider risk management strategy, governance model and risk management lifecycle that also relies on cybersecurity vigilence through training and awareness

Process Model

The cybersecurity risk management process model consists of three separate workflows aligned to NIST RMF

Risk Management & Issue Remediation

Prepare
Categorise
Select
Implement
Assess
Authorise

Risk Assessment Tool

The risk assessment tool has up to 4 stages if the asset or project involves the use of personal data

Tool stages:

Risk triage questionnaire
Data Privacy Impact Assessment (DPIA)
Controls issue
Self assessment

Stage 1

The assessment questionnaire

Questionnaire sections:

Asset/project general information
Deployment type, i.e. SaaS, IaaS, PaaS, on-prem etc.
Project type, i.e. network, application, database, digital, internet facing etc.
Project/Application data contents
Interaction with company systems

Stage 1a

The Data Privacy Impact Assessment (DPIA)

DPIA questions covering the following categories:

Types of Personal Data
Purpose of Collecting Personal Data
Sources of Personal Data
Third Parties processing Personal Data
Security
Individual’s Privacy
Data Retention and Deletion

Stage 2

The Security Controls Sheet outlining the security controls required to safeguard the asset or application

The Security Controls Sheet

Control Information
Required Inputs
Application Mapping
Technology Mapping
Frameworks and Standards Mapping
Regulatory Mapping

Stage 3

In the previous stage, any controls that have been identified as ‘Not Met’ or ‘Partially Met’ will be automatically populated in this final stage of the process, the Risk Self-Assessment Sheet. Here, users must determine the risk level associated with not meeting or partially the specified controls based on the guidance sheet provided.

Figure 1:

Risk Self-Assessment Sheet. This sheet will be automatically populated based on the inputs received in the Information Security Controls Sheet; Data for Controls that are ‘Not Met’ or ‘Partially Met’ will be pulled across.
Using the Control ‘Risk Statement’ users are required to provide a risk impact score and likelihood of occurrence for being unable to fully implement and comply with the control.

Figure 2:

Users are provided with guidance on how to determine appropriate risk impact and likelihood scores based on the factors identified in the four matrices.

Teamwork is the key to successful products

Our product was conceived by security professionals to solve a common challenge of Secure by Design in all IT projects.

The technical team behind the product have architected the solution using open source components and frameworks so that the product can be improved and deployed in practically any environment.

We worked closely with Governance Risk and Compliance teams to design this product.

We field tested this product in different industries from retail through energy and industrial control.

We are always interested in how we can make this product better so tell us your suggestions for improvement.

Questions?

Contact sales@athencis.co.uk to get more information

Take action

Page updated

Google Sites

Report abuse