Step 1: Identify your critical information assets
Information Assets in this context include systems, vendors, and processing activities among others. A good way to start your risk management is to map the information assets that are relevant to your organisation in Wired Relations. Tip: Use the label feature in Wired Relations to indicate whether the assets are business critical and what types of personal data they process.
Step 2: Create a risk assessment
Go to the Risk Assessment module in the top left corner of Wired Relations and create a new risk assessment. Select the asset for which you want to assess the risk. This could be a system, a processing activity, a vendor etc.
Step 3: Select relevant threats and who it affects
Start by selecting relevant threats from the list or create new ones from your own risk catalog. Choose who the threats affect. You can choose between the "organisation" and/or the "data subject".
Step 4: Assess consequence and likelihood
For each threat, assess the consequence based on the parameters confidentiality, integrity, and availability. You do this for the "data subject" and/or "organisation". You then choose the likelihood of it occurring.
You do this for each threat.
Step 5: Calculate risk
Once you have assessed the consequence and likelihood, you will now be presented with “calculated risk” scores. One score for the risk assessment as a whole and two indicating the level of risk to the organisation and the data subject respectively.
Step 6: Decide if the risk can be accepted
You must now decide whether the risk is acceptable. If the answer is “yes”, you can continue with the current security measures. If the answer is “no”, move on to risk management.
Step 7: Risk management
You choose which security measures you want to implement. You can choose between technical and organisational measures from a catalog or create your own. Create tasks for the organisation to implement these measures.
Step 8: Assess residual risk
Once the security measures are chosen and implemented, reassess the risk. You now assess whether the consequence or likelihood has changed based on the security measures you have chosen.
Step 9: Summarise the risk picture
Wired Relations gives you an overview of the calculated risk for both the organisation and the data subject. You can see if the remaining risk is acceptable and how it has been affected by your security measures.