DELIVERABLESVulnerable Asset List - Submit the completed list of vulnerable assets Internal and External Threats List - submit the itemized list of threats External Inputs of Threats and Vulnerabiliti
VUL ID # | Asset | Vulnerability Description | Threat Description |
From P1 | From P1 | From Project 1 | From Project 1 |
Likelihood | Impact | ||
From P1 | From P1 | Recommended Remediation | Risk Response Strategy/Factor |
Risk Level | Priority | From Project 1 | (Remediate, Accept and Mitigate, or Transfer)/(Cost, Capabilities, or Resources) |
From P1 | From P1 | ||
VUL ID # | Asset | Vulnerability Description | Threat Description |
Likelihood | Impact | ||
Recommended Remediation | Risk Response Strategy | ||
Risk Level | Priority | ||
VUL ID # | Asset | Vulnerability Description | Threat Description |
Likelihood | Impact | ||
Recommended Remediation | Risk Response Strategy | ||
Risk Level | Priority | ||
VUL ID # | Asset | Vulnerability Description | Threat Description |
Likelihood | Impact | ||
Recommended Remediation | Risk Response Strategy | ||
Risk Level | Priority | ||
Prioritized Risks and Response Matrix
Notes on the Risk Response Strategy Cell:
The possible options are:
Remediate,
Accept and Mitigate, or
Transfer
Remember, remediate is to fix the issue. Mitigate is part of accepting the risk and includes implementing compensating controls because you are not going to fix the issue. Transfer means to transfer the risk to an outside agency such as an insurance company.
You only need to list the risk response along with the factor for any responses other than remediate. This should state the factor that was most in play for why you were not able to remediate. For example, cost would be the factor if the cost to remediate outweighed the potential damage. Resources could be the factor if you did not have enough employees to implement the remediation. Capability could be a factor if the risk was with vendor software and they had not yet developed a patch.
Your entries in this cell should look like this.
Remediate
Accept/Cost
Transfer/resource
These are just some of the examples and you’ll need to determine your actual entries for yourself.