Automated Answers to Risk Questions

There is a failure to maintain asset ownership and it is not possible to have non-repudiation of actions or inactions.

"Mixed, Active Directory and Okta maintain asset ownership and permissions, but logging is rolling over due to a lack of storage and lack of log retention policies."

There is a failure to implement least privilege.

"No idea if POLP has been implemented.  UNKNOWN, and no record of assessments or audits."

Access to privileged functions is inadequate or cannot be controlled.

"Unknown, IAM is disorganized, no records of assessments or audits can be found."

Access is granted to unauthorized individuals, groups or services. Asset(s) is/are lost, damaged or stolen.

"Unknown, IAM is disorganized, no records of assessments or audits can be found."

Unauthorized changes corrupt the integrity of the system / application / service. There is increased latency or a service outage that negatively impacts business operations.

"Unknown"

There is a failure to maintain the confidentiality of the data (compromise) or data is corrupted (loss).

"KNOWN, Intellectual Property has been exfiltrated and used competitively against our organization."

User productivity is negatively affected by the incident.

"UNKNOWN - Users do not seem affected."

Malware, phishing, hacking or other technical attacks compromise data, systems, applications or services.

"UNKNOWN. Intellectual property has been exfiltrated, but no IOC or TTPs have been determined."

Legal and/or financial damages result from statutory / regulatory / contractual non-compliance.

"UNKNOWN"

System / application / service is compromised affects its confidentiality, integrity, availability and/or safety.

"KNOWN.Intellectual property has been exfiltrated, causing revenue loss to Chinese knockoffs. <confidentiality> "

Implemented security /privacy practices are insufficient to support the organization's secure technologies & processes requirements.

"KNOWN. Intellectual property has been exfiltrated, causing revenue loss to Chinese knockoffs"

There is incorrect or inadequate controls scoping, which leads to a potential gap or lapse in security / privacy controls coverage.

"KNOWN. Intellectual property has been exfiltrated, causing revenue loss to Chinese knockoffs. Current security posture is not known, assessed, addressed and then audited for quality, and therefore inadequate."

Documented security / privacy roles & responsibilities do not exist or are inadequate. Internal practices do not exist or are inadequate. Procedures fail to meet "reasonable practices" expected by industry standards.

"KNOWN. Intellectual property has been exfiltrated, causing revenue loss to Chinese knockoffs. Current security posture is not known, assessed, addressed and then audited for quality, and therefore inadequate. If not remediated, we will lose our PCI standing and will not be able to conduct business."

Third-party practices do not exist or are inadequate. Procedures fail to meet "reasonable practices" expected by industry standards.

"KNOWN- We have 18 Third Party Vendors, but no record of Security/ Risk interviews or registers exist with them."

There is a lack of due diligence / due care in overseeing the organization's internal security / privacy controls.

"KNOWN, No listed Security or Privacy controls have been designed, declared nor implemented.

There is abusive content / harmful speech / threats of violence / illegal content that negatively affect business operations.

"KNOWN, none detected"

Response actions either corrupt evidence or impede the ability to prosecute incidents. Response actions fail to act appropriately in a timely manner to properly address the incident.

"KNOWN, Previous security team, Director and CISO have been terminated due to gross negligence."

There is no oversight to ensure remediation actions are correct and/or effective.

"KNOWN, there is currently no oversight, assessments, advisory or audit process in place."

There are financial repercussions from responding to an incident or loss.

"KNOWN, we are losing business to Chinese knockoffs."

There is an inability to detect incidents.

"KNOWN, the SIEM is down and isn't operational due to data capacity planning failures. A re-spec of the storage hardware is required, and must meet PCI-DSS standards for data collection and retention."

The workforce lacks user-level understanding about security & privacy principles.

"KNOWN, no Security Awareness training has been conducted."