![]() ![]() When the enterprise architects start working on the epic, they first plan what they intend to do in this phase. Once the epic is finished in Phase A, it is moved into the backlog of Phase B. Rules for the EA Kanban board (Steps 7–9). In our example we relied heavily on the NIST information security risk assessment framework so the subsections of that section of our sample report map closely to NIST.įigure 7-26. Another area that may change is the system specific assessment section which should be structured depending on the methodology that was used. For example, organizational assessment activities are relatively fluid depending on the sources available to the assessor so new sections can be added or removed depending on the activities performed. ![]() Of course, this outline can always be changed to better reflect the actual activities conducted during the risk assessment. This is usually due to the fact that the computations and the subsequent results of the computations are too long to integrate into the report itself.īased on these 6 sections, the actual outline of the information security risk assessment report will look similar to the following: I. This may end up being a rather large section since it may also contain evidence documents that are referenced in the Results section of the report. This may include spreadsheets and various documents. 6.Īppendices-The appendices are the supporting evidences and results for the report. 5.Ĭonclusion-This section allows the assessor to provide their final opinion regarding the outcome of the risk assessment. This risk register may be passed around, independent of the report, as it is basically the list of all the findings that were identified through the entire process. Risk Register-The risk register is a part of the report that can be considered a standalone section of the report. This part of the report should include narratives and evidence on how the assessor ultimately derived the risk findings which will be presented in a consolidated format in the risk register. Results-The results section presents the results, or references to the results, for each of the activities that were conducted for the risk assessment. This section should identify the framework that was used (if any) and provide a step-by- step description of the methodology followed as well as the activities performed that support the methodology used. If the reader cannot understand how you derived your results they are more likely to challenge you. Describing the methodology followed helps obtain buy-in from the reader. Methodology-You don’t just want to present the results of your assessment (although that is a key part of the report), it is important to accurately represent the effort that was put into the risk assessment process. The Executive Summary-needs to provide the reader with answers to the following questions: What is this report? Who was this report written for? Why was this report written? Why is this report important to the organization? What are the findings? 2. Here is a quick description of each of these sections: 1. The report will consist of 6 main sections: Introduction, Methodology, Results, Issues Registers, Conclusion, and Appendices. When I consider the solution they are getting at to be wrong, I get involved and offer my recommendation. If I see that the solution they are getting at is better than what I thought about (which happens a lot) or if it is close, then I don’t get involved in the decision and only provide my support. The heuristic I use is that stakeholders are the ones deciding what should be done. The main point is getting possible solutions from team members. 5.ĭuring the meeting, I facilitate a discussion about the main findings. In the invite, I ask them to read the report and come up with a list of recommended ways to react to the findings. I share the report with the team and invite stakeholders to a meeting. ![]() I create a separate document in which I list my recommendations. Under each finding, I add a title that says, “Planned design changes,” as well as the phrase to indicate what will go in there and when: “Changes will be discussed and determined during the next team meeting.” 3. Under each finding, I leave a placeholder for a recommendation to be filled in later. I analyze study results and write a report. Here is a step-by- step description of what I do: 1. When I sense that stakeholders are more likely to implement their own conclusions from study findings, I sometimes choose not to share my recommendations. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |