while implementing eramba in our organization, I faced a challenge I wanted to share with you. Maybe others have similar issues and this could result in a new feature.
The main problem I faced can be summarized to “Inherit risks (or risk score) to another asset”. Let me make an examples to make the situation clear:
Business Unit 1 is the owner of a SAP Application Server
Business Unit 2 is the owner of an Active Directory Server
The Active Directory Server is linked to the SAP Application Server because the SAP Application Server uses Active Directory for authentication.
So when I do a risk analysis on the Active Directory and I find a risk, it should be also displayed to Business Unit 1, because the SAP Application server is also exposed to the risk of the Active Directory.
So in other words, risk inheritance would be a nice feature. It would allow us to inherit the risk of asset to other assets that are linked.
The way this could be implemented is by “suggesting” assets that hierarchically are above the one you originally selected, this would be shown on the asset filed:
your proposed approach using the Applicable Asset is a workaround for us, but unfortunately not very usable in the long term.
Lets take my sample from above again:
Business Unit 1 is the owner of a SAP Application Server
Business Unit 2 is the owner of an Active Directory Server
BU2 identifies 10 risks related to the AD Server and creates 10 different risks in the Asset Risk Management.
When BU1 tells BU2 that they use the AD too with their SAP Server, BU2 has to open all 10 risk scenarios and put SAP as Applicable assets which creates a lot of. As we are a quite big organisation with a lot cross referencing services, this makes a lot of work to handle.
Our idea of inheritence would work as follows:
BU1 put the related assets in the Asset Identification: