Issues with Implementing Risk Management in Verinice

Hello Verinice Community,

I’ve recently started using Verinice for risk management, and I’m having a bit of trouble implementing the risk management process effectively within the tool. I’m trying to assess and manage risks for my organization, but I find it difficult to set up and track the risks, especially when I try to align them with the controls and mitigation actions.

Could anyone guide me on the following?

  1. How do I efficiently map risks to controls within Verinice?
  2. What are the best practices for tracking risk mitigation over time?
  3. Are there any tips for customizing the risk matrix to suit specific risk management needs?

I’ve gone through the documentation but still find some aspects unclear, especially when it comes to managing and reporting on risks at different levels of the organization.

Any advice or examples would be greatly appreciated!

Thanks in advance!
motivue

How do I efficiently map risks to controls within verinice?

In verinice, risks should first be linked to assets.
The risk analysis process in verinice involves several steps:

Initially, the company’s processes and assets are modeled abstractly in the Model-View. These elements are then linked together, and the Business Impact can be inherited from higher-level processes down to the assets if necessary.

Next, a vulnerability and a threat are linked to a risk scenario, or a new scenario object is created.
The risk scenario must then be associated with an asset, depending on which asset the scenario poses a risk to.
Only through this link does an actual risk emerge.
The likelihood of the scenario is evaluated within the scenario object.

Once all asset and scenario evaluations are complete, the risk analysis can be performed according to ISO/IEC 27005.
The result shows that the gross risk value is calculated by adding the likelihood from the scenario and the Business Impact from the asset.

If multiple risk scenarios are linked to a single asset, the Business Impact values are summed and added to the likelihood.

The calculation formula is as follows:

Risk value = Likelihood + Impact
(Likelihood comes from the scenario object, Impact comes from the asset object.)

Controls can help reduce risks in two ways:

  • If a preventive control is linked to a risk scenario, it reduces the likelihood.
  • If a control is linked directly to an asset, it reduces the impact and acts more as an emergency measure.

The modification of likelihood or impact through the control is configured in the control object under the section called „Control-Level“.

After completing the risk analysis, the results are displayed under the respective asset.
You can also visualize these results by creating a report.

Please refer to the following illustration:

If you would like to customize the predefined Business Impact values for the CIA protection goals, or the assessment values for threats or vulnerabilities, you can do so through customizing.
You can also adapt the risk matrix to your needs.
If you are interested, I would be happy to send you a guide on how to perform such a customization!

2. What are the best practices for tracking risk mitigation over time?
Here are some best practices:

  • Document the status: Regularly update the status of controls.
  • Assign a timeline to measures: Plan deadlines and milestones and use fields like „Implementation Date,“ „Completed On,“ and „Review Date.“
  • Use reports: Verinice offers export functions (e.g., PDF/Excel) to generate regular status reports.
  • Assign responsibilities: Each control (and each risk) should have a responsible person assigned – this significantly improves traceability.

3. Are there any tips for customizing the risk matrix to suit specific risk management needs?

The risk matrix in verinice can be customized to a certain extent.
Please refer to the following documentation for details.
Customizing Risikoanalyse ISO en-1.pdf (2,1 MB)

If you have further questions or need additional help, feel free to reach out again!