Help Center
News
Help Center
News
Getting Started
Compliance Settings
IT Settings
Risk Settings
Risk SettingsThe process risk modelThe Asset Risk ModelMaturity model
Modules
Sharing & Group functions
Assessments
Features
How-To Guides & Tips
Get Help
Release Notes

Risk Settings

The platform supports four different risk models for various types of risks and elements. To access Risk settings, click the gearwheel in the top right corner and select Risk Settings. You need data protection manager or IT security manager privileges to do this.

Process Risk Model

On the first tab, you can edit the Process Risk Model. This model determines the risks of a process concerning privacy and data protection. The focus of the risk's effects is on the data subject or affected person. It is usually called the process risk model or ROPA risk model.

We will explain how to set or edit the Process Risk Model in a separate article.

Asset Risk Model

The Asset Risk Model allows you to calculate the risks for your information assets within the organization. It is exclusively related to InfoSec and Cybersecurity. This risk model focuses on the effects of a loss of confidentiality, integrity, or availability of the assets. The risk model for assets is defined per standard and then listed under Active Model(s).

Learn how to set up the Asset Risk Model for your various standards in the corresponding article.

Maturity Model

On the Maturity Model tab, you will find information about the maturity model, which will help you when working with assessments and international standards, for example.

Vendor Risk

The Vendor risk is an assessment-based risk model, meaning an assessment determines the vendor risk. It uses questionnaires or assessments to determine the risk in the different evaluated dimensions. For example, a vendor can be evaluated on privacy, information security, financial or geographic risk, or business continuity.

The risk model of these evaluations is inherited from the assessment.

First, you need to set the Number of Risk Categories. This setting can only be modified once and applies to the entire company. Our recommendation is to set five risk categories.

After clicking Save, you will be forwarded to a page where you can change the label of each category. By default, they are labeled Minimal, Reduced, Average, Elevated, and Critical. Click Save again. You can come back and edit these labels at any time.

Click Edit to customize the Risk Category Thresholds. You can move the threshold points by clicking and dragging them with the mouse.

Projects Risk

The project risks are similar to the Asset risks; the effect is focused on the organization, not on the data subject or affected person.

The 5x5 risk model for projects allows you to determine the risk based on likelihood and the impact of any risks on the project outcome.

Click on Edit to set or change the likelihood of occurrence and the damage categories.

Risk Scenarios

You may have already been confronted with risk scenarios in connection with different elements of your data protection compliance, especially regarding Assets or TOMs. This tab will let you edit existing risk scenarios by clicking on one of them and create or import new ones by clicking the Create button.

How you create risk scenarios is up to you. They need to apply to your situation. This is why you can also create new Risk Scenarios on the fly, e.g., when documenting a new Asset or creating a new DPIA. But of course, some risks always apply to all organizations regardless of their business activity, e.g., natural disasters.

Name the risk scenario and determine whether it is a Data Subject Scenario or an Asset Scenario.

A new risk scenario should be described with due diligence. The following should be considered:

  • Which scenarios are conceivable that could lead to damage?
  • What harm may occur to the identified data subjects due to the envisaged processing?
  • What actions and circumstances may lead to the occurrence of the respective harm events?
  • Which parties are involved and how? Are non-human sources of risk relevant, e.g., technical malfunctions?
  • What warranty targets may be impacted by the Scenario (data minimization, availability, integrity, confidentiality, non-linking, transparency, data subject rights)?

An ID number can be entered, e.g., from an external register. Save your entries.

To delete a Risk Scenario, click the three horizontal dots on the right side, click the garbage bin, and confirm the deletion.

Deadlines & Urgency

These deadlines apply to the treatment of a risk unless otherwise defined in the risk treatment plan.


 

 

Was this article helpful?

English
Powered by Product Fruits