Guest user Created: Feb 26, 2016 Last commented: Feb 26, 2016

Risk Assessment Table

I have a question about the Risk Assessment Table. In the Risk Assessment Table video, you mention merging the results of the assessments from various asset owners. Should the Risk Assessment Table list each item separately (e.g. "John's laptop", "Tom's laptop", "Eric's laptop"), or merge them into a single asset type (e.g. "Employee Laptops")?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Feb 26, 2016

You can merge them into a single asset type - as you mentioned "Employee laptops".

In the video, you also mention that in the merge process, we should choose the highest overall score for each asset listed if there is overlap from many independent assessments done by independent asset owners. This conflicts with my original intuition: If an asset has multiple vulnerabilities, I originally assumed we should include the same asset multiple (potentially many) times in the Risk Assessment table, not just the highest.

You should include all the threats and vulnerabilities related to these assets that are merged, however for the level of impact and level of likelihood you should take the highest score from all the asset owners - this way you won't lose any information, and you will be aware of the worst case scenario.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Feb 26, 2016

Expert Advice Community