We use risk assessments to plan short- and long-term security projects, as well as to set priorities within our Security team.
Risk assessments address risk by transferring, avoiding, or mitigating that risk, and include:
- Security Risk Register (SRR)
- procedural
- ad hoc
- development
- risk treatment planning
- risk treatment options
Let's dive into some details below.
SSR is our primary tool for assessing the risk exposure of every identified security threat across our environment and is the basis for most other risk management tools in play. We use the SRR to inform relevant groups (notably the Security team and the leadership/executive teams) regarding our knowledge of risk exposure.
We use procedural risk assessments—a standard process for analyzing the risk of various input—to make informed decisions around the associated risk exposure.
Each risk assessment leverages data tabulated in the SRR to articulate the impact of various risk scenarios and inform decision-making in relevant contexts.
We use ad hoc risk assessments to evaluate risk if a circumstance arises that falls outside our structured evaluations.
We use development risk assessments for new major products or product features to make sure that we thoroughly evaluate critical security and legal controls.
- An initial assessment gauges the overall risk of the design.
- If our Security team identifies a high level of risk, we ask for more details in the product design document.
- Our Security team may ask for clarification around sensitive topics and require design changes or mitigation strategies to address new risk exposure.
- Follow-up risk assessments may be necessary depending on the complexity of the project.
- Enumerate existing controls per FAIR Controls Analytics Model (FAIR-CAM).
- Select risk treatment approach(es) and justification.
- Evaluate any additional proposed controls.
- Assign lead stakeholders and other owners.
- Set timeframe to achieve intended treatment.
- mitigation (via remediation and countermeasures)
- transfer (e.g., to third party)
- avoidance (eliminate vulnerable function or service)
- acceptance (based on understanding of exposure and weighted against appetite for risk)