Risk policies

Risk policies allow your organization to take a risk-based approach towards the compliance of your projects. Risk policy administrators define the Countermeasures necessary to complete before a project can be considered compliant with its level of risk. For example, a risk policy designed to address 'critical' risk may only include Countermeasures with a priority of 10.

You can define a risk policy to include Countermeasures by severity, phase, regulation, and custom tags. The risk compliance of a project is then reflected in dashboards, reports, integrations, and other real-time status indicators.

The risk policies are maintained by SD Elements administrators: a default policy is set for an organization and for each business unit. These defaults are pre-selected at the time of project creation but they can be overridden to better match a project’s needs.

Countermeasure priority levels may change as SD Elements revises its content. These changes may affect your risk policies. Ensure that you review changes to your risk policies after accepting changes from new releases.
Risk policies can help you to:
  • Define an appropriate or minimum level of rigor based on your risk and compliance needs

  • View a snapshot of compliance through dashboards, reports, and other real-time indicators

  • View compliance relative to the risk tolerance and rigor level desired by your business, rather than to all security-related Countermeasures

  • Define the rigor of risk policies to include or exclude security Countermeasures based on your organization’s needs

  • Gradually apply more rigorous policies to business units or groups as you improve your capability to execute security controls

A risk policy is composed of a scope, or policy inclusion, and an accepted risk criteria:

  • The scope identifies which project Countermeasures are subject to the policy.

    • These Countermeasures are referred to as risk-relevant Countermeasures.

    • The scope is defined by a set of phases, a range of Countermeasure priorities and a list of Countermeasure tags.

  • The acceptable risk criteria is a short-list of Countermeasure statuses.

    • Countermeasures in scope for a policy must be assigned one of these statuses to be considered compliant.

A project is considered compliant if all the Countermeasures in scope for its risk policy meet the criteria.

By default the project Countermeasures view restricts its list to risk-relevant Countermeasures only. Users may override the option to view all Countermeasures.

Rules when risk policies apply

Risk policies and their definitions are maintained by SD Elements administrators. A risk policy can be selected at the organization and business unit levels to guide teams on a selection. However, it is up to individual teams to assign the most relevant policy to their projects.

Organization default policy:
  • The risk policy is set as the default for all business units. This can be overridden by each business unit. Refer to section Set a default risk policy for further guidance.

Business unit default policy:
  • The risk policy selected by default for all new projects in the business unit. This can be overridden by each project team. Refer to the section covering business units for further guidance.

Project policy:
  • The risk policy assigned to a project. Project teams are responsible for selecting the policy applicable to their project context. Risk status in the organization is governed by the policies assigned to projects and their fulfillment. Teams assign a risk policy during project creation or during an update. Refer to the section covering projects for further guidance on project creation and update.

Risk policy details

The following details are defined in a risk policy:

  1. Name: The name of your risk policy. This name will appear in all risk status reports.

  2. Description: A brief explanation of the risk policy.

  3. Policy Inclusion: The Countermeasures to be included in the risk policy. Select Countermeasures by the phases they belong to. Phases you do not select will not include any Countermeasures associated with those phases in the risk policy.

  4. Countermeasures of priority: Select the priority of the Countermeasures to be included in the risk policy.

    1. Priority describes how important a Countermeasure is compared to other Countermeasures and ranges from 1 to 10.

    2. A priority or 7 above, for example, can be considered as a minimum priority.

  5. Restrict to Countermeasures with any of the following tags: The Countermeasures to be included in the risk policy based on their tags. The risk policy only includes the Countermeasures with the tags defined here.

  6. Countermeasures that are part of the following Regulations: The Countermeasures to be included in the risk policy based on their association with one or more regulations.

  7. Minimum Criteria for Acceptable Risk: To achieve a greater level of assurance for risk policy compliance, a Countermeasure’s status can be paired with a minimum acceptable risk.

    1. Countermeasures with status: The status required for a Countermeasure to be considered compliant. Choose from Not Applicable, Incomplete, Complete, or a Custom status.

    2. Acceptable verification: The minimum verification that is considered acceptable for compliance. See Verification status for more information.

      1. No Fail: The Countermeasure’s verification status is one of Pass, Partial Pass, or No Verification Status.

      2. Pass: The Countermeasure’s verification status is Pass.

      3. Pass or Partial Pass: The Countermeasure’s verification status is one of Pass or Partial Pass.

      4. Ignore: The Countermeasure is not applicable to verification.

All risk policies can be viewed from the Manage→Risk policies menu.

Default risk policies

By default, SD Elements provides two risk policies On-boarding policy and Highest-risk policy. The On-boarding policy is marked as the organization default.

On-boarding policy (default):
  1. In scope: all Countermeasures from Requirements and Development, with priority 7 and higher.

  2. Criteria for acceptable risk: all Countermeasures in scope must be assigned status Complete or Not applicable.

Highest risk policy:
  1. In scope: all Countermeasures from all phases

  2. Criteria for acceptable risk: all Countermeasures in scope must be assigned status Complete or Not applicable.

These policies can be modified or deleted according to the guidance below.

Create a new risk policy

Define a risk policy for your organization using the steps below.

Prerequisites:
  • Users require the permission Global Roles → Administration → Manage Risk Policies.

Steps:
  1. Click Manage in the menu and select Risk Policies.

    rollup manage risk policies
  2. Click on the yellow icon in the top right to create a New Risk Policy.

  3. Enter or select the details of your risk policy.

    risk policy create
  4. Under Countermeasures regulated by, you may select regulations whose Countermeasures will be included in the new policy:

    risk policy create regulations
  5. Under Minimum Criteria for Acceptable Risk, you must select at least one Countermeasure status and assign it a level of acceptable verification.

    risk policy create verification
  6. Click on Create.

The new policy is added to your list of existing risk policies. You can set it as your default policy by selecting the radio button under the Default column.

Update a risk policy

Change the details of an existing risk policy using the steps below.

Prerequisites:
  • Users require the permission Global Roles → Administration → Manage Risk Policies.

Steps:
  1. Click Manage in the menu and select Risk Policies.

  2. Search for the policy using the interface.

  3. Hover your mouse over the row on the far right and select the Edit risk policy icon. A dialog will appear.

  4. Update the details of the policy.

  5. Click on Done.

The policy is updated immediately and the application subsequently re-calculates the risk status of affected projects. This process may take a few minutes to complete. Once completed, all risk reporting will reflect the details of the updated risk policy.

Set a default risk policy

Change the default organization risk policy using the steps below:

Prerequisites:
  • Users require the permission Global Roles → Administration → Manage Risk Policies.

Steps:
  1. Click Manage in the menu and select Risk Policies.

  2. Click the radio button of the policy you wish to make the new default.

  3. Acknowledge the warning:

    policy default warning
  4. Click on Save.

The selected policy is now the organization’s default, and will automatically be selected by default for new business units. The change will not affect existing business units or projects.

Delete a risk policy

Delete an existing risk policy using the steps below.

Prerequisites:
  • Users require the permission Global Roles → Administration → Manage Risk Policies.

Steps:
  1. Click Manage in the menu and select Risk Policies.

  2. Use the search function if you need to find the policy in the list.

  3. Hover your mouse over the row on the far right and select the trash can icon. A dialog will appear.

    policy delete warning revised
  4. Select a policy to assign to any projects that are currently assigned to the policy you are removing.

  5. Click on Delete.

The risk policy is deleted immediately. Affected projects are assigned to its replacement and their risk status is re-calculated.

View risk status from the user interface

The SD Elements dashboard provides a Risk Status Summary widget that highlights the total number of compliant and non-compliant projects in your business units.

rollup risk status summary

Business unit risk reporting

From the dashboard, you can jump to Business Units to view their risk compliance status.

rollup business unit compliance

Application risk reporting

Select a business unit from this list to view the risk compliance status of its applications.

rollup application compliance

Project risk reporting

Select an application from this list to view the risk compliance status of its projects.

rollup project compliance

Project overview risk reporting

From the project overview, view the Risk Policy Summary as a percentage of risk compliance achieved. This calculation is based on the number of Countermeasures completed.

300

Risk reporting

Generate reports of your business units and projects to summarize their risk compliance.

  • Generate a risk status summary report for all business units.

    • The report summarizes the development progress across all of your business units. This report provides a synopsis of each business unit and any non-compliant projects within that unit. Use this report for a snapshot of your organization’s risk compliance, development progress, and development accountability.

  • Generate a project report for a project-specific view of risk status.

    • The report summarizes the details of a project, its risk policy, and any outstanding non-compliant Countermeasures. Use this report for an overview of a project’s development and risk compliance status.

results matching ""

    No results matching ""