2. What is a Risk ?
We started off trying to define a risk and a vulnerability so we could map
those into Jira correctly
3. What is a Risk ?
● In our world today a Risk is the potential or actual consequence of a
known vulnerability.
4. So before we create a Risk first we must define
the vulnerability
● Vulnerabilities arise due to incidents, monitoring or testing.
● A vulnerability might be found as a result of:
○ A penetration test
○ An Incident
○ A network scan
○ A missing policy or process required by best practice or legal compliance
○ An industry news item
7. So now we have a good vulnerability we can
create a good Risk
8. What else do we need to do when creating a
Risk?
● A Risk should be linked to a Vuln as a parent of
RISK is a parent of a Vulnerability & Vulnerability is a child of a Risk
● A Risk Owner
● From your risk and vuln we should know what brand it relates to and
which service it effects or impacts on.
9. Whats next ?
● Risks will be reviewed by the Risk Function / steering committee and
prioritised and rated.
● Risks will be reported and assigned to the correct business function
● Security will facility the remediation path.
10. Whats next ?
THAT DIDN’T WORK SO WE BASED RISK
WORKFLOWS FROM DATA JOURNEYS
12. Mapping of risks built into security mapping for visibility across the
network – from GDPR
IT System VULN
RISK
Security
Control
Data
Journey
Data Touches Has VULN
Has RISK
Missing
Data
Source
Threat
Model
Security
Goal
meets
Business
Goal
Helps meet
Project
Mitigates
Has RISK
Used in
identifies
13. Online Sanitized Jira and Neo4J for testing
Jira On-line
https://gdpr-patterns.atlassian.net/browse/GDPR-1
Neo4J Visualisation
http://ec2-35-177-200-108.eu-west-2.compute.amazonaws.com:9004/user/dj-507_tm/