Adding risk scenarios to assets or asset groups
This article will show you how to add risk scenarios to assets or asset groups. We will also explain the difference between the two types of scenarios: Asset scenarios and Data subject scenarios. Understanding this distinction will help you apply the correct scenarios in the appropriate contexts.
What is an Asset Scenario?
An asset scenario describes a potential risk specifically associated with a particular asset or asset group. Asset scenarios assess security measures and vulnerabilities related to IT or physical infrastructure, focusing on the possible impact on the organization.
Examples:
- Hardware: Maintenance deficiencies in routers or security cameras may allow attackers to sabotage these devices, leading to the loss of confidentiality, integrity, and availability of corporate data.
- Software: Malfunctions in a firewall or VPN service due to configuration errors or missed updates could create vulnerabilities that attackers could exploit to gain unauthorized access to company systems.
- Data: Loss or theft of sensitive files through insecure storage solutions could have serious legal and economic consequences.
What is a Data Subject Scenario?
Data subject scenarios relate to personal data and its processing risks, focusing on data protection. These risk scenarios are specifically designed to create and maintain a record of processing activities (ROPA). They describe risks to individuals and ensure compliance with legal requirements, always emphasizing the impact on the data subject.
Examples:
- Data breach: Unauthorized access to customer data, for example, through cyberattacks or internal misconfigurations, can compromise confidentiality and expose individuals to financial or reputational risks.
- Lack of consent: Processing personal data without the required consent of the data subjects constitutes a violation of the General Data Protection Regulation (GDPR) and can lead to legal consequences and a loss of trust.
- Unauthorized disclosure: Improper sharing of personal data with third parties, either through human error or insufficient technical controls, endangers individuals’ privacy and may result in compensation claims.
Differences between scenario types
| Asset Scenario | Data Subject Scenario | |
| Focus | Technical and physical risks (InfoSec & IT security) | Data protection risks for data subjects |
| Examples | Device failure, sabotage, hacking | Data leaks, unlawful processing |
| Responsibility | IT security, infrastructure teams | Data protection officers, compliance teams |
| Use | Risk management for assets | Creation of the ROPA |
Adding Asset Scenarios
Before adding asset-specific risk scenarios, ensure that you have already registered your asset, added it to one or more groups, and included the asset in the scope of one or more standards. If you have activated asset-specific risk management for the asset, you can add asset-specific risk parameters in addition to the group parameters. If you need further guidance on these steps, please visit the article about the Asset Register.
Steps to Add Risk Scenarios:
- Decide whether you want to add risk scenarios for an asset group or a single asset. Use the toggle below the standard to switch between group and asset.
- Navigate to the Scenarios tab.
- Click Add.
- All scenarios listed here relate to assets. You can use the search bar to find existing risk scenarios or create new ones by clicking Create.
- Add the desired scenarios by clicking Add to List.
After adding all relevant scenarios, you can assess the risk scenarios, add TOMs, and create treatment plans in the subsequent tabs. For detailed guidance on these steps, refer to the relevant article.