In this (first) step, you collect data about the system which will help readers of your risk assessment understand what the system does, who uses it etc. You will not use the information collected in this step for the actual calculation of the system’s risk, but it is still important to document key decisions (e.g., who owns the risk, when was it accepted?), main contacts (e.g., who prepared the assessment?) or the high-level system architecture. Since the default fields might not fit your needs, this form can be customized.
Tailoring the form (optional)
It makes sense if you only collect information which you might want to include in your risk assessment. While many of the fields are free text fields, the drop-down menus are mostly linked to master data you have entered when setting up the system. A few examples are listed below:
- “Service owner” and “Service provider” allow you to select from the your tree of organizational units
- “Highest classification” and “Network exposure” are drop-down fields you have configured with options most suitable for your requirements
If the fields which are available in the standard configuration do not match your needs at all, we can entirely change the design to match your needs. Just get in touch!
Filling in the form
Some of the information is technical, some more business-oriented, so you might have to ask colleagues from other departments to help you fill in the form. In COB.RA, you can easily grant temporary write access to a coworker with link-based permission sharing. The screenshot below shows how a filled-in form could look like for a simple website.
The built-in editor allows you to freely format text and to insert images:
Finally, it is important to mention that all information you enter here (and anywhere else in cob.ra) can be exported using placeholders in the report designer.
What next?
After collecting all information required to explain the system to the future readers of your risk assessment, you should proceed with performing a business impact analysis.