-
Notifications
You must be signed in to change notification settings - Fork 0
Basic Config: DSRA
The digital security risk assessment (DSRA) is made of multiple components that require independent configuration.
- Risk Impact Thresholds
- Risk Questionnaire to Calculate Initial Impact Rating
- Control Validation Audit
- Component Selection
- Digital Security Risk Assessment Task
Each of these can be configured in the admin panel. The risk impact thresholds are a global configuration, all other components are relative to the pillar configuration. That means, you can have different DSRAs targeting different deliverable types or different domains within your organisation (e.g. cloud, infrastructure, corporate, operational technology).
The Risk Impact Thresholds are a global configuration covering all DSRAs. The initial values provided with the SDLT are recommended as they have been calculated to align nicely to the NZTA Risk Approximation method of calculating the impacts.
The default values are:
Insignificant < 10
Minor < 30
Moderate < 70
Severe < 130
Extreme >= 130
These can be configured in the admin panel by going to Questionnaires then selecting Impact Thresholds in the navigation bar. It is not expected that you will need to modify these from the default values provided with the SDLT.
Every DSRA will need to be fed with an initial risk impact position. This is taken from a Risk Questionnaire type questionnaire. When configuring the Security Risk Assessment task, you need to specify the Data source for risk questionnaire. This is a RiskQuestionnaire task that will need to be spawned to the same submission as the security risk assessment.
Risk questionnaire tasks will calculate and return risk values. When creating questions, the input type must be used and multiple choice: single selection or multiple choice: multiple selection input field must be used. The multiple choice input fields allow risks an ratings to be assigned to each answer. All answers will be aggregated together at the end of the questionnaire to determine a final risk rating for each risk.
The SDLT has a default Initial Risk Impact Assessment task pre-configured as an example. Data and Systems are pre-classified with risk ratings based on agreement with the business. As part of your initial configuration, you will need to update these classifications to your own internal values. For the systems list, you will need to classify and update the system names.
The Control Validation Audit (CVA) is an implementation of the control validation audit task type. When configuring this task you can specify the default security controls set (security components) to use. By default, the SDLT has a CVA task configured with the Agency Baseline Control Set. You can add your own control sets, or update the existing.
It is possible to have multiple configured CVA tasks, each with different control sets configured. This allows for scenario based control sets (e.g. corp vs cloud vs operational technology).
Where a pillar questionnaire has a textbox input question marked as product aspects the component selection will need to be used. The Component Selection task is an implementation of the component selection task type. This task allows a submitter to select different control sets for different parts of their solution.
So, if a submitter entered the product aspects Website and Database, the component selection task would ask them to select the control set(s) they would like to use for each. This allows for complex solutions to be broken down into components and risk assessed independently. The CVA task will show all components and assigned control sets automatically, as will the security risk assessment task.
Note: The component selection task has a Target that can be either JIRA or Local. JIRA has been officially deprecated. Please use only Local until the JIRA option is removed.
The final part of the configuration is the DSRA task, of type security risk assessment. The SRA task will look for other tasks assigned to the submission to build the report view for the user. In SDLTv2 (current), it's a non-interactive task.
The SRA task requires configuration of likelihood thresholds and the risk matrix. The impact thresholds are taken from the global configuration. The default security risk assessment task has been configured with values that align nicely to the NZTA Risk Approximation method.