Simplifying compliance and risk management

Identify Threats/Risks

Risk analysis should start with a threat profile. What threats is the organization susceptible to? How frequently does a threat event occur? For example, does the threat occur twice a year or once every hundred years? What is the impact of the threat if it is not prevented or mitigated by controls? How sudden is the onset of the threat? If immediate, it is more critical for the organization to prepare in advance. If the threat slowly materializes over time, monitoring strategies may be sufficient.

TruComply comes with 43 predefined threats mapped to industry and organizational size-specific threat profiles. Organizations can use these threat profiles as a head start and then develop custom threats or modify existing ones as requirements dictate.

Determine Controls Which Mitigate Threats/Risks

Threat data is not very useful unless it is related back to the controls which mitigate or prevent the threat from impacting the organization. This threat-control mapping exercise can be incredibly time consuming as each control must be individually related to the threats it mitigates and a weighting factor applied to indicate the relative effectiveness of the control at mitigating risk.

TruComply does this work for clients by maintaining mappings between the 43 predefined threats and 2,700 UCF controls (116,100 relationships!). These mappings are updated with each quarterly UCF release.

Calculate Business Process and Asset Criticality

All vulnerabilities are not created equal. After all, a control deficiency on a workstation which leads to a localized exploit is not nearly as damaging as the same compromise occurring to a mission-critical e-commerce server. Thus, the organization needs to rate the relative criticality of assets and business processes.

TruComply provides a robust method for calculating asset and business process criticality based on the following factors. Organizations may choose to populate all of them or none of them and can adjust the relative weightings accordingly (Confidentiality, Integrity, Availability, Downtime cost, Affected systems, Affected people, Political impact, PR impact).

Often organizations appreciate the value of determining business process and asset criticality, but find the prospect of gathering and maintaining such data daunting. With TruArx’ Managed Compliance and Risk Services, a TruArx consultant will manage all aspects of data collection and maintenance, including interviewing stakeholders to collect baseline data.

Determine Remediation Costs and Complexity

Remediation cost and complexity is another factor which needs to be taken into account in risk decision-making. All other factors being equal, the organization should prioritize less expensive and simpler remediation projects over costly projects which due to their complexity carry a higher risk of failure.

TruArx provides default remediation recommendations as well as implementation and support cost estimates for all 2,700 UCF controls. These values are calculated based on the organization’s internal and contractor labor rates and can be edited globally or for an individual remediation task.

Calculate a Risk Metric based on Factors Above

Ultimately, decisions need to be made. In many cases, the number of projects to consider can be significant enough to require summarizing the factors above into metrics for prioritization.

TruComply provides two metrics which can be compared across remediation projects: Risk Effectiveness Factor (REF) and Security Efficiency Factor (SEF). REF is a score from 1-10 which combines risk and asset criticality. Thus a high risk control deficiency impacting a low value asset such as a general workstation will have a significantly lower REF than the same control deficiency on a mission critical server housing sensitive data. SEF is an additional calculation based on REF but with the cost and complexity of remediation also factored in. We believe both are necessary as REF tends to emphasize larger projects which while costly are critical to reducing risks to acceptable levels while SEF tends to prioritize ‘quick wins.’ Together, they provide management with excellent, fact-based metrics for decision-making.