On some level, the whole point of a security program is to manage risk. In securityprogram.io (SPIO) we provide policy around how the risk program should work and some templates for a risk management process that you can adopt as an organization.
On some level, the foundation of that is a willingness to document and talk about risks. The risk register helps you to do that. In theory, the idea is that anyone can report a risk that will get put in the risk register. In practice, it is often the technical team, security team or even users that report risks.
Once a risk has been reported, we track it in the register to help us document that we are aware of it and that we handled it. Often we use the risk register as part of our frequent discussion with broader management to make them aware of risks that we see and how we're dealing with them.
The Register Itself
In SPIO, the risk register makes it easy to create and track risks. Then you can see who the owner is, start to estimate probability and impact and track the status, which is one of:
- New - Yet to be triaged.
- Accepted - You accept this risk without need for further action. Basically, you know it is there and you're not going to do anything about it.
- Mitigated - You have a plan in place which is minimizing the impact of this risk or mitigating it.
- Transferred - You have transferred this risk (through say a contract) to another party.
- Closed - A risk in this status is no longer a risk.
Risks in SPIO also have fields to gather:
- A mitigation plan - how you're going to mitigate the risk.
- A response plan - what you're going to do if the risk materializes.
Of course, it is helpful to understand when risks are identified and when they get handled.
It is a bad sign if risks are commonly identified but then there are long periods before they get handled.
It is probably a bad sign if there are no risks identified. That suggests that the organization doesn't have a very effective way to realistically identify and deal with risks.
If you are struggling to think about risks, a threat modeling exercise could be helpful. You can use our tool here to help with that: https://threatmodel.jemurai.com.
In the Assisted SPIO tier, our team will help to manage the Risk Register and identify and track risks. We also conduct an annual deeper Risk Assessment where we look to make sure the overall program is aligned to your overall risk.
Ultimately, the Risk Register is just an easy way to center an organizational discussion around risk and track outcomes.