Risk policies
Risk policies allow your organization to take a risk-based approach towards the compliance of your projects. Risk policy administrators define the Tasks necessary to complete before a project can be considered compliant with its level of risk. For example, a risk policy designed to address 'critical' risk may only include Tasks with a priority of 10.
You can define a risk policy to include Tasks by severity, phase, regulation, and custom tags. The risk compliance of a project is then reflected in dashboards, reports, integrations, and other real-time status indicators.
The risk policies are maintained by SD Elements administrators: a default policy is set for an organization and for each business unit. These defaults are pre-selected at the time of project creation but they can be overridden to better match a project’s needs.
-
Define an appropriate or minimum level of rigor based on your risk and compliance needs
-
View a snapshot of compliance through dashboards, reports, and other real-time indicators
-
View compliance relative to the risk tolerance and rigor level desired by your business, rather than to all security-related tasks
-
Define the rigor of risk policies to include or exclude security tasks based on your organization’s needs
-
Gradually apply more rigorous policies to business units or groups as you improve your capability to execute security controls
A risk policy is composed of a scope, or policy inclusion, and an accepted risk criteria:
-
The scope identifies which project tasks are subject to the policy.
-
These tasks are referred to as risk-relevant tasks.
-
The scope is defined by a set of phases, a range of task priorities and a list of task tags.
-
-
The acceptable risk criteria is a short-list of task statuses.
-
Tasks in scope for a policy must be assigned one of these statuses to be considered compliant.
-
A project is considered compliant if all the tasks in scope for its risk policy meet the criteria.
Tip
|
By default the project tasks view restricts its list to risk-relevant tasks only. Users may override the option to view all tasks. |
Rules when risk policies apply
Risk policies and their definitions are maintained by SD Elements administrators. A risk policy can be selected at the organization and business unit levels to guide teams on a selection. However, it is up to individual teams to assign the most relevant policy to their projects.
-
The risk policy is set as the default for all business units. This can be overridden by each business unit. Refer to section Set a default risk policy for further guidance.
-
The risk policy selected by default for all new projects in the business unit. This can be overridden by each project team. Refer to the section covering business units for further guidance.
-
The risk policy assigned to a project. Project teams are responsible for selecting the policy applicable to their project context. Risk status in the organization is governed by the policies assigned to projects and their fulfillment. Teams assign a risk policy during project creation or during an update. Refer to the section covering projects for further guidance on project creation and update.
Risk policy details
The following details are defined in a risk policy:
-
Name: The name of your risk policy. This name will appear in all risk status reports.
-
Description: A brief explanation of the risk policy.
-
Policy Inclusion: The tasks to be included in the risk policy. Select tasks by the phases they belong to. Phases you do not select will not include any tasks associated with those phases in the risk policy.
-
Tasks of priority: Select the priority of the tasks to be included in the risk policy.
-
Priority describes how important a task is compared to other tasks and ranges from 1 to 10.
-
A priority or 7 above, for example, can be considered as a minimum priority.
-
-
Restrict to tasks with any of the following tags: The tasks to be included in the risk policy based on their tags. The risk policy only includes the tasks with the tags defined here.
-
Tasks that are part of the following Regulations: The tasks to be included in the risk policy based on their association with one or more regulations.
-
Minimum Criteria for Acceptable Risk: To achieve a greater level of assurance for risk policy compliance, a task’s status can be paired with a minimum acceptable risk.
-
Tasks with status: The status required for a task to be considered compliant. Choose from Not Applicable, Incomplete, Complete, or a Custom status.
-
Acceptable verification: The minimum verification that is considered acceptable for compliance. See Verification status for more information.
-
No Fail: The task’s verification status is one of Pass, Partial Pass, or No Verification Status.
-
Pass: The task’s verification status is Pass.
-
Pass or Partial Pass: The task’s verification status is one of Pass or Partial Pass.
-
Ignore: The task is not applicable to verification.
-
-
All risk policies can be viewed from the Manage→Risk policies menu.
Default risk policies
By default, SD Elements provides two risk policies On-boarding policy and Highest-risk policy. The On-boarding policy is marked as the organization default.
-
In scope: all tasks from Requirements and Development, with priority 7 and higher.
-
Criteria for acceptable risk: all tasks in scope must be assigned status Complete or Not applicable.
-
In scope: all tasks from all phases
-
Criteria for acceptable risk: all tasks in scope must be assigned status Complete or Not applicable.
These policies can be modified or deleted according to the guidance below.
Create a new risk policy
Define a risk policy for your organization using the steps below.
-
Users require the permission Global Roles → Administration → Manage Risk Policies.
-
Click Manage in the menu and select Risk Policies.
-
Click on the yellow icon in the top right to create a New Risk Policy.
-
Enter or select the details of your risk policy.
-
Under Tasks regulated by, you may select regulations whose tasks will be included in the new policy:
-
Under Minimum Criteria for Acceptable Risk, you must select at least one task status and assign it a level of acceptable verification.
-
Click on Create.
The new policy is added to your list of existing risk policies. You can set it as your default policy by selecting the radio button under the Default column.
Update a risk policy
Change the details of an existing risk policy using the steps below.
-
Users require the permission Global Roles → Administration → Manage Risk Policies.
-
Click Manage in the menu and select Risk Policies.
-
Search for the policy using the interface.
-
Hover your mouse over the row on the far right and select the Edit risk policy [mode edit] icon. A dialog will appear.
-
Update the details of the policy.
-
Click on Done.
The policy is updated immediately and the application subsequently re-calculates the risk status of affected projects. This process may take a few minutes to complete. Once completed, all risk reporting will reflect the details of the updated risk policy.
Set a default risk policy
Change the default organization risk policy using the steps below:
-
Users require the permission Global Roles → Administration → Manage Risk Policies.
-
Click Manage in the menu and select Risk Policies.
-
Click the radio button of the policy you wish to make the new default.
-
Acknowledge the warning:
-
Click on Save.
The selected policy is now the organization’s default, and will automatically be selected by default for new business units. The change will not affect existing business units or projects.
Delete a risk policy
Delete an existing risk policy using the steps below.
-
Users require the permission Global Roles → Administration → Manage Risk Policies.
-
Click Manage in the menu and select Risk Policies.
-
Use the search function if you need to find the policy in the list.
-
Hover your mouse over the row on the far right and select the trash can icon. A dialog will appear.
-
Select a policy to assign to any projects that are currently assigned to the policy you are removing.
-
Click on Delete.
The risk policy is deleted immediately. Affected projects are assigned to its replacement and their risk status is re-calculated.
View risk status from the user interface
The SD Elements dashboard provides a Risk Status Summary widget that highlights the total number of compliant and non-compliant projects in your business units.
Business unit risk reporting
From the dashboard, you can jump to Business Units to view their risk compliance status.
Application risk reporting
Select a business unit from this list to view the risk compliance status of its applications.
Project risk reporting
Select an application from this list to view the risk compliance status of its projects.
Risk reporting
Generate reports of your business units and projects to summarize their risk compliance.
-
Generate a risk status summary report for all business units.
-
The report summarizes the development progress across all of your business units. This report provides a synopsis of each business unit and any non-compliant projects within that unit. Use this report for a snapshot of your organization’s risk compliance, development progress, and development accountability.
-
-
Generate a project report for a project-specific view of risk status.
-
The report summarizes the details of a project, its risk policy, and any outstanding non-compliant tasks. Use this report for an overview of a project’s development and risk compliance status.
-