The Risk Submission page is where the risk life cycle begins in SimpleRisk. On this page you will begin defining your risk. When entering risks it is important to remember that the only required field on the page is the Risk Subject, all other fields are optional at least when it comes to the ability to submit. It is not uncommon to need to gather information over time to define a risk completely.
“+” - This button allows you to open multiple risk submission tabs on a single page. When a risk is submitted from one of these tabs that tab then refreshes and displays the risk details for the newly created risk without changing or otherwise closing the other new risk tabs. This feature is useful for when you know you are about to open a multitude of risks and will need to keep up with updating them after submission throughout the day.
Subject - The subject is the only default required field in SimpleRisk. General guidelines for setting a helpful risk subject should include a description of the risk or event that would be taking place or has taken place. As an example “Unencrypted SSH Key on Server X” is not a very good risk as it does not accurately depict the risk involved with the described situation. A better example would be “Data and Revenue Lost Due to Unencrypted SSH key on Server X”. This field allows for fairly long entries with a 300 character limit. This risk subject is the most used unique description of a risk besides the risk ID associated with a risk and will be displayed in notification emails as well as most reports. Keeping these unique can be an important tool.
Risk Mapping - The Risk Mapping field provides 32 high-level risks that your risks may be mapped against. These risks may be added or removed under the “Risk and Threat Catalog” link under the “Configure” menu. These mappings are another way to help you to group different risks together in order to report on them to management.
Category - This field allows you to select and categorize your risk. This field is able to have options added/removed/changed in the “Configure” menu at the top followed by “Add & Remove Values” on the left. Category can be a helpful tool for reporting and making use of the category field will contribute to the ability to narrow down search results that much faster.
Site/Location - Similar to Category this field can be edited in the same way as explained with Category in the “Add & Remove Values” menu. Site/Location doesn’t necessarily have to be the same place as say the affected asset. This site/location is generally where this risk takes place however depending on the situation this could mean the affected asset is nowhere near the actual site/location recorded with the risk.
External Reference ID - This field allows you to store any other aliases or ticket numbers this particular risk may have. Another function of this field is if enter a CVE reference # the information of the risk will automatically be filled out as long as your instance can reach out to the internet to retrieve that information.
Control Regulation - This field allows you to assign a controlling regulatory framework. This list is populated by the frameworks currently defined in the “Governance” section of SimpleRisk.
Control Number - This field gives you a space to store any control numbers that may be relevant or govern the risk being created.
Affected Assets - This field can be used to select assets already in the system or define a new one. Depending on if the option in the “Configure” menu is checked or unchecked you can set whether newly entered assets are automatically considered to be verified or not. If they are not automatically verified they will not appear in the list for the next risk or user to recall until they are verified via the Asset Management menu.
Technology - This field allows users to track the affected or involved technology/technologies. The values of this field are adjustable from the “Add & Remove Values” menu in “Configure” and include the following by default: Anti-Virus, Backups, Blackberry, Citrix, Datacenter, Live Collaboration, Mail Routing, Messaging, Mobile, Network, Power, Remote Access, SAN, Telecom, Unix, VMWare, Web, Windows.
Team - This field is used for recording the team associated with a given risk. The entries for this field can be edited from “Add & Remove Values” in the “Configure” menu. This field is used as a determining factor for what risks, assets, and compliance audits a user may have access to when using the Team-Based Separation Extra (A paid feature requiring annual subscription). Users will also find a fair deal of reporting based around teams regardless of the Team-Based Separation Extra making this a vital field in creating meaningful reporting. The default teams available in SimpleRisk are: Branch Management, Collaboration, Data Center & Storage, Database, Information Security, IT Systems Management, Network, Unix, Web Systems, Windows.
Additional Stakeholders - This is your catch all user field. This field will display a list of all users currently in the system. This drop-down is multi-select and can attach to multiple users with a single field. With the use of the Notification Extra this is also a good way to notify users who may not have another appropriate field to notify them with but still would like to keep up with a given risk.
Owner - This is your risk owner field. This is generally assigned to the user who is directly responsible for overseeing the risk moving forward, they may not be the person who directly mitigates the risk but they generally govern the system or process the risk represents. This is a user select dropdown that allows you to select any already defined user in the system.
Owner’s Manager - Very much like the owner field this field is a single user dropdown. This is most often used for the direct manager of the risk owner to keep them updated about changes with the risk via the Notification Extra.
Risk Source - This field is for tracking the source of the risk. This field can be edited from “Add & Remove Values” and the default values include: External, People, Process, and System.
Risk Scoring Method - This field is where you select the type of scoring you wish to use for a given risk. By default we support 6 methods: Classic, CVSS, DREAD, OWASP, Custom, and Contributing risk. Some short descriptions of each follow:
Classic Risk Rating: This risk rating methodology uses a Likelihood value and an Impact value with a mathematical formula applied to come up with a risk score. Typically something like Risk = Likelihood x Impact. This is covered more in the Normalizing Risk Scores Across Different Methodologies blog post.
CVSS: Also known as the Common Vulnerability Scoring System, CVSS is developed by the Forum of Incident Response and Security Teams (FIRST) organization and is what is used to rate all of the Common Vulnerabilities and Exposures (CVEs) found in the National Vulnerability Database (NVD). It consists of a Base Vector, which has multiple values to estimate likelihood and impact, along with optional values to estimate the Temporal and Environmental impact on your environment.
DREAD: The DREAD risk assessment model was initially used at Microsoft as a simple mnemonic to rate security threats on the basis of Damage, Reproducibility, Exploitability, Affected Users, and Discoverability. We don't see it being used by customers very often, but it has been included in SimpleRisk since very early on in our product history.
OWASP: The OWASP Risk Rating Methodology was created by Jeff Williams, one of the Founders of the OWASP organization, as a means to easily and more accurately assess the likelihood and impact of a web application vulnerability. It's an application-centric play on the Classic Risk Rating described above, where the Likelihood is assessed based on Threat Agent and Vulnerability factors and the Impact is assessed based on Technical and Business factors.
Contributing Risk: This risk scoring methodology came about in SimpleRisk as a custom development effort for a large data center customer in the UK. It is also a play on the Classic Risk Rating described above, but assesses the Impact of the risk against multiple different, customizable, weighted values such as Safety, SLA, Financial and Regulation.
Custom: This is by far the most simple, and potentially the most subjective, risk assessment methodology implemented in SimpleRisk. The idea here is that you simply specify a number ranging from 0 through 10 to assess your risk. Ideally, you would have some external method that you used to calculate that value and attach as evidence, but that may not always be the case.
Current Likelihood - This is where you set the likelihood when using class risk rating. Values in this field can be added/removed/renamed in the “Configure Risk Formula” page of the “Configure” menu.
Current Impact - This is where you set the Impact when using class risk rating. Values in this field can be added/removed/renamed in the “Configure Risk Formula” page of the “Configure” menu.
Risk Assessment - This field gives you a clear place to describe the current risk in question in detail. What is currently known about this risk, what damage will it cause, how can it occur, these are all types of information you might fill the risk assessment field with.
Additional Notes - This field is for anything that would be outside your given process for filling out the risk assessment field but is still relevant to the risk. Think of this as your free bonus field for information that may be important but has no pre-designated place.
Supporting Documentation - This button allows users to upload files to be attached to the risk. There is no strict limit on how many files can be uploaded to a risk and the size maximum is set on the “Settings” page in the “File Upload” tab in the “Configure” menu. Please note that the maximum set in the “Configure” can not exceed the maximum file size PHP is currently configured to handle. This page is also used for controlling the file upload types and extensions that are allowed. For more information on adjusting the maximum upload size please see the following: How to Configure Max File Size in Simplerisk.
Tags - The Tags field is for storing easy to search terms that apply to a given risk. Tagging has nearly endless possibilities for ensuring users are able to locate and group risks by meaningful and helpful terms. Tags are reusable and searchable by just starting to type the tag in question into the Tags field or clicking the field and scrolling through the dropdown to find your tag.
Clear Form - This button is a simple button to clear the entire page of all entered data. Nothing previously entered is saved in anyway at this point so if clicked there is no going back.
Submit - This button submits the risk into the system and saves any new tags or assets that were created along with that risk. Once submitted you will be taken to the generated risk’s details page.
The Risk Submission page in SimpleRisk is your #1 stop for entering risks into the system to begin the risk management lifecycle. This page should have served to answer all questions related to risk submission but if you feel anything has been missed or just seek further clarification please reach out to us at firstname.lastname@example.org.