4

I've been tasked with updating my department's exception request form, and I am trying to come up with YES/NO questions that can be scored to determine the risk of the request.

I am having trouble with this task, because I need questions that can apply to a wide range of Users within my organization, as some people are highly technical, while others are not tech savvy at all. Additionally, the company I work for has roughly 6k employees with many different job functions, so the questions have to be very flexible to accommodate just about any request that's submitted.

Brandon Mcwilliams
  • 41
  • 2
  • "Has the risk of this exception been reviewed by the Risk Owner for the system and the Data Owner?" – schroeder May 09 '18 at 15:29
  • 1
    I'm a little confused by what you are asking for. If you are asking for a list of questions, that's very difficult to answer in this format. Given that you want a list of Y/N questions that can apply to *anyone* making the request, then your process should not be to place the assessment of the risk in the hands of the requestor. – schroeder May 09 '18 at 15:31
  • @shroeder the exception has not been reviewed at this point. My thought was to have the requestor fill out an exception form, which would include a handful of questions to calculate the risk of their request. We are trying a new exception review/approval process, where regular analysts can approve "Low" risk exceptions, managers can approve "Medium" risk exceptions, and "High" risk exceptions go to the Director/CISO for review. The intent of the risk score is to help with the triage process for exception reviews/approvals. – Brandon Mcwilliams May 09 '18 at 16:08
  • 1
    But, who performs the analysis to determine if it is "Low"? The requestor? And you want the list of Y/N questions to result in a risk calculation? And you expect everyone to answer honestly? – schroeder May 09 '18 at 16:11
  • It also sounds like you already have the model you need in order to create your questions: what constitutes a "Low/Medium/High" risk for your organisation? What thresholds need to be crossed to change the assessment? Then just ask those questions ... – schroeder May 09 '18 at 16:14

1 Answers1

0

It depends on what the exception request form is for; if the policy exception relates to a service, then you'll want to ask questions about the nature of the service, e.g.:

  1. Does the exception cover any systems which store Confidential or higher data assets?
  2. Does the service being excepted integrate with any other services?
  3. Is this exception covering a service which has already had a prior risk assessment? If yes, what was the risk classification given in that assessment?
  4. Does your department interact with Confidential or Restricted assets?

Generally speaking, you're going to need more than Yes/No in most cases, imo. Just like any initial scoping questionnaire, this would probably only let you pick out very obviously-risky requests for triage.

A requestor's assessment can only elevate risk, not lower it. :P

Angelo Schilling
  • 681
  • 3
  • 11