Likelihood and impact tables are at end of document now
This commit is contained in:
@@ -95,30 +95,6 @@
|
||||
- Operational Context: Information regarding the industry sector in which {{ document.organization.name }} operates and the extent of its reliance on third-party vendors, informing the assessment of sector-specific and supply chain risks.
|
||||
These internal insights were further enriched by incorporating relevant data and trend analysis from leading industry and consultancy sources.
|
||||
|
||||
- segment_type: "risk_assessment_process"
|
||||
content:
|
||||
- title: "Risk Assessment Process - Scales"
|
||||
description: |
|
||||
For determining likelihood, StackSight LLC utilizes a commonly referenced scale, presented below:
|
||||
- headers: ["Likelihood Score", "Probability of Happening in a Year", "Descriptor", "Criteria"]
|
||||
rows:
|
||||
- ["1", "0-10%", "Rare", "Has never occurred or has not occurred in the prior 10 years. Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will."]
|
||||
- ["2", "11-24%", "Unlikely", "Has occurred in the past 10 to 4 years. Not expected, but there's a slight possibility it may occur at some time."]
|
||||
- ["3", "25-50%", "Probable", "Has occurred in the past 4 to 2 years. The event might occur at some time as there is a history of casual occurrence at similar organizations."]
|
||||
- ["4", "51-89%", "Likely", "Has occurred in the past 2 to 1 years. There is a strong probability the event will occur as there is a history of frequent occurrence at similar organizations."]
|
||||
- ["5", "90-100%", "Almost Certain", "Currently occurs or has occurred in the last year. The event is expected to occur in most circumstances as there is a history of regular occurrence at similar organizations."]
|
||||
- description: |
|
||||
The risk impact is formally scored using the following definitions and corresponding operational recovery metrics (RPO/RTO):
|
||||
- headers: ["Impact/Severity", "Cost", "Reputation (Internal & External)", "Management Effort", "Operational Resources", "Compliance/SOX/CRA/NIS2 Impact"]
|
||||
rows:
|
||||
- ["Insignificant (1)", "0% to .04% of Gross Revenue", "Unaware – A reasonable person does not have knowledge of the situation or fact. Additionally there is no obligation to divulge the incident.", "Normal Activity - Usual, average or typical company processes. Typically no extra managements cumulative time needed.", "Additional Resources - No extra Internal or External personnel needed to bring resolution to the issue outside of normal processes.", "Low direct regulatory implications. Baseline operational obligations and internal controls are expected to be maintained."]
|
||||
- ["Significant (2)", "~.05% to .25% Gross Revenue", "Minimum Concern - If a reasonable person obtains knowledge of the situation or fact and there is no reaction either positive or negative. Additionally, there is no obligation to divulge the incident.", "Minimum Management Effort - 1-10hrs of managements cumulative time.", "Minor Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 4- 40hrs worth of cumulative time.", "Primarily an internal control issue. Notification to designated authorities may be required. Potential for initial warnings or minor penalties depending on the nature."]
|
||||
- ["Severe (3)", "~.25% to .5% Gross Revenue", "Moderate Concern – A reasonable person obtain knowledge of the situation that could violate, laws, regulations or compliance but the narrative is that management is in control and are rectifying the situation appropriately.", "Moderate Management Effort - 10 to 20 hrs. of managements cumulative time.", "Moderate Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 40 - 80hrs (2 weeks) worth of cumulative time.", "A clear deviation from expected operational or product/service standards, requiring notification and remediation actions. Mandatory reporting to authorities. Risk of financial penalties and increased regulatory scrutiny."]
|
||||
- ["Material (4)", "~ .5% to 1% Gross Revenue", "Severe Concern – A reasonable person obtains knowledge of the situation that could violate, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation.", "Severe Management Effort - 20 to 40hrs of managements cumulative time", "Severe Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 80hrs (2 weeks) - 160hrs (4 weeks) worth of cumulative time.", "Serious non-compliance with established standards. Risk of significant operational disruptions, including potential product/service restrictions or recalls. Mandatory and detailed reporting to authorities is required. High likelihood of substantial financial penalties, potential suspension of services, and personal accountability for responsible management."]
|
||||
- ["Major (5)", "~ 1% Gross Revenue", "Outrage from a reasonable person – A reasonable person obtains knowledge of the situation that violates, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation or is not rectifying the situation.", "Precarious Management Effort - 40hrs or more of managements cumulative time, potential management will be removed from their position.", "Precarious Operational Resources - Internal or External personnel may be needed to bring resolution to the issue over 160 hrs. (4 weeks) worth of cumulative time.", "Systemic failure with severe consequences. Significant regulatory sanctions expected. Mandatory, multi-stage, and comprehensive reporting to authorities is required. Maximum financial penalties are likely, with potential for temporary prohibition of managerial functions and other stringent enforcement actions. The possibility of criminal liability may be considered depending on applicable law or regulation."]
|
||||
- description: |
|
||||
The specific definition of material impact is contingent upon the organizational type and scale. For companies exceeding 1 billion USD in annual revenue, the materiality threshold for major impact is set at 1% of annual revenue. For organizations below this revenue threshold, it is set at 10%. For non-profit organizations, alternative, pre-defined guidelines are utilized.
|
||||
|
||||
- segment_type: "risk_matrix"
|
||||
content:
|
||||
- title: "Risk Matrix"
|
||||
@@ -318,4 +294,28 @@
|
||||
- subtitle: "Disclaimer"
|
||||
description: |
|
||||
This report is provided for informational purposes only and is based on the data and information available to StackSight LLC at the time of the assessment. The findings and recommendations contained herein are intended solely to provide guidance to {{ document.organization.name }} in enhancing its cybersecurity posture. Cybersecurity risks are inherently dynamic and subject to continuous evolution. StackSight LLC makes no warranties, express or implied, regarding the completeness, accuracy, or suitability of this report for any specific purpose or outcome. The implementation of the recommendations outlined in this report does not constitute a guarantee of complete protection against all potential cyber threats or incidents.
|
||||
{{ document.organization.name }} assumes full responsibility for all decisions made based on the content of this report and for the implementation, ongoing management, and effectiveness of its cybersecurity controls and risk management program. This report should not be construed as, nor relied upon as, legal or regulatory advice.
|
||||
{{ document.organization.name }} assumes full responsibility for all decisions made based on the content of this report and for the implementation, ongoing management, and effectiveness of its cybersecurity controls and risk management program. This report should not be construed as, nor relied upon as, legal or regulatory advice.
|
||||
|
||||
- segment_type: "risk_assessment_process"
|
||||
content:
|
||||
- title: "Risk Assessment Process - Scales"
|
||||
description: |
|
||||
For determining likelihood, StackSight LLC utilizes a commonly referenced scale, presented below:
|
||||
- headers: ["Likelihood Score", "Probability of Happening in a Year", "Descriptor", "Criteria"]
|
||||
rows:
|
||||
- ["1", "0-10%", "Rare", "Has never occurred or has not occurred in the prior 10 years. Highly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will."]
|
||||
- ["2", "11-24%", "Unlikely", "Has occurred in the past 10 to 4 years. Not expected, but there's a slight possibility it may occur at some time."]
|
||||
- ["3", "25-50%", "Probable", "Has occurred in the past 4 to 2 years. The event might occur at some time as there is a history of casual occurrence at similar organizations."]
|
||||
- ["4", "51-89%", "Likely", "Has occurred in the past 2 to 1 years. There is a strong probability the event will occur as there is a history of frequent occurrence at similar organizations."]
|
||||
- ["5", "90-100%", "Almost Certain", "Currently occurs or has occurred in the last year. The event is expected to occur in most circumstances as there is a history of regular occurrence at similar organizations."]
|
||||
- description: |
|
||||
The risk impact is formally scored using the following definitions and corresponding operational recovery metrics (RPO/RTO):
|
||||
- headers: ["Impact/Severity", "Cost", "Reputation (Internal & External)", "Management Effort", "Operational Resources", "Compliance/SOX/CRA/NIS2 Impact"]
|
||||
rows:
|
||||
- ["Insignificant (1)", "0% to .04% of Gross Revenue", "Unaware – A reasonable person does not have knowledge of the situation or fact. Additionally there is no obligation to divulge the incident.", "Normal Activity - Usual, average or typical company processes. Typically no extra managements cumulative time needed.", "Additional Resources - No extra Internal or External personnel needed to bring resolution to the issue outside of normal processes.", "Low direct regulatory implications. Baseline operational obligations and internal controls are expected to be maintained."]
|
||||
- ["Significant (2)", "~.05% to .25% Gross Revenue", "Minimum Concern - If a reasonable person obtains knowledge of the situation or fact and there is no reaction either positive or negative. Additionally, there is no obligation to divulge the incident.", "Minimum Management Effort - 1-10hrs of managements cumulative time.", "Minor Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 4- 40hrs worth of cumulative time.", "Primarily an internal control issue. Notification to designated authorities may be required. Potential for initial warnings or minor penalties depending on the nature."]
|
||||
- ["Severe (3)", "~.25% to .5% Gross Revenue", "Moderate Concern – A reasonable person obtain knowledge of the situation that could violate, laws, regulations or compliance but the narrative is that management is in control and are rectifying the situation appropriately.", "Moderate Management Effort - 10 to 20 hrs. of managements cumulative time.", "Moderate Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 40 - 80hrs (2 weeks) worth of cumulative time.", "A clear deviation from expected operational or product/service standards, requiring notification and remediation actions. Mandatory reporting to authorities. Risk of financial penalties and increased regulatory scrutiny."]
|
||||
- ["Material (4)", "~ .5% to 1% Gross Revenue", "Severe Concern – A reasonable person obtains knowledge of the situation that could violate, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation.", "Severe Management Effort - 20 to 40hrs of managements cumulative time", "Severe Operational Resources - Internal or External personnel may be needed to bring resolution to the issue, typically 80hrs (2 weeks) - 160hrs (4 weeks) worth of cumulative time.", "Serious non-compliance with established standards. Risk of significant operational disruptions, including potential product/service restrictions or recalls. Mandatory and detailed reporting to authorities is required. High likelihood of substantial financial penalties, potential suspension of services, and personal accountability for responsible management."]
|
||||
- ["Major (5)", "~ 1% Gross Revenue", "Outrage from a reasonable person – A reasonable person obtains knowledge of the situation that violates, laws, regulations or compliance and the narrative is that management is acting in a negligent manner to rectify the situation or is not rectifying the situation.", "Precarious Management Effort - 40hrs or more of managements cumulative time, potential management will be removed from their position.", "Precarious Operational Resources - Internal or External personnel may be needed to bring resolution to the issue over 160 hrs. (4 weeks) worth of cumulative time.", "Systemic failure with severe consequences. Significant regulatory sanctions expected. Mandatory, multi-stage, and comprehensive reporting to authorities is required. Maximum financial penalties are likely, with potential for temporary prohibition of managerial functions and other stringent enforcement actions. The possibility of criminal liability may be considered depending on applicable law or regulation."]
|
||||
- description: |
|
||||
The specific definition of material impact is contingent upon the organizational type and scale. For companies exceeding 1 billion USD in annual revenue, the materiality threshold for major impact is set at 1% of annual revenue. For organizations below this revenue threshold, it is set at 10%. For non-profit organizations, alternative, pre-defined guidelines are utilized.
|
||||
Reference in New Issue
Block a user