| CPC G06Q 10/0635 (2013.01) [G06F 21/577 (2013.01); H04L 63/1425 (2013.01); G06Q 10/063 (2013.01); H04L 63/1433 (2013.01); H04L 63/145 (2013.01); H04L 63/1458 (2013.01)] | 20 Claims |
|
1. A computer-implemented method comprising:
maintaining, in association with at least one information system, a threat library comprising a plurality of threat likelihoods, wherein each of the plurality of threat likelihoods is derived from at least one of an external source or an internal source;
automatically retrieving, from the external source, an updated threat likelihood;
generating a composite risk model;
storing the composite risk model in association with the at least one information system, wherein generating the composite risk model comprises, for each of a plurality of predetermined risk scenarios:
selecting a model for identifying a quantitative implicit risk of a risk scenario,
incorporating the model into the composite risk model, wherein the model comprises a threat likelihood of the risk scenario in the plurality of threat likelihoods, a business impact of the risk scenario in a plurality of business impacts, and a control effectiveness of the risk scenario in a plurality of control effectivenesses, and the risk scenario comprises at least one threat type and a targetable system;
collecting scope and expectation information for an entity associated with the at least one information system,
determining, with a processor, based on the scope and expectation information, whether the at least one information system is vulnerable to the at least one threat type;
determining, with the processor, from a set of possible assessment activities, a plurality of assessment activities to apply, based on at least the determination of whether the at least one information system is vulnerable to the at least one threat type,
identifying, in an available list of assessment activities, a plurality of manual assessment activities and a plurality of automatic assessment activities,
providing each of the plurality of manual assessment activities on a user interface,
automatically applying the plurality of automatic assessment activities to the at least one information system,
determining, with the processor, from the plurality of assessment activities, the threat likelihood of the risk scenario and the business impact of the risk scenario,
determining, from the threat likelihood of the risk scenario and the business impact of the risk scenario, an implicit risk score for the risk scenario,
automatically executing, with the processor, at least one test on the at least one information system,
selecting a control framework from a set of stored control frameworks,
mapping the plurality of assessment activities and a result of the at least one test to the control framework via a plurality of pre-defined input fields associated with the control framework; and
calculating, from the implicit risk score and the control effectiveness, a residual risk value;
adding the residual risk value to a set of residual risk values;
generating, from the set of residual risk values, an overall residual risk score;
determining, from the plurality of control effectivenesses and the set of residual risk values, a plurality of control gaps based on a contribution of each of the plurality of control effectivenesses to the overall residual risk score;
providing a control effectiveness summary comprising the plurality of control gaps displayed in a ranked order; and
triggering, upon identification of a trigger condition comprising at least one of a modification to the at least one information system stored in association with the composite risk model and a passage of a predetermined amount of time after generation of the composite risk model, automatic scheduling of a process for generating an updated composite risk model.
|