Update likelihood criteria for rating observations
Why is this change being made?
When initially creating observations I was having challenges risk rating specifically determining the likelihood score. Reviewed NIST 800-30 and determined that frequency of identifying/having a control observation is not a criteria that is used to determine likelihood. Based on my understanding the risk of occurrence (likelihood) and lack of a control operating effectively are two separate situations.
As an example, when I assessed a lower tiered system last quarter a control did not exist to perform backup restores. The risk of not having a back up restore is lack of availability of data; however, there was a control to ensure backups were being performed. Based on our previous likelihood criteria, the absence of a control or control observations persisting would rate the risk as high likelihood which would inherently inflate the risk rating. I believe context matters when risk rating and shouldn't use control observation as a criteria to determine likelihood.
Author Checklist
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained bysection on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR - If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.