How K2 Compliance Completes a Risk Assessment

K2 Compliance is an innovative medium that has redefined the management of the risk assessment process. The application acts as a central hub to store, collect and analyze data relative to an organization’s security risks. Let’s take a quick look at the asset-based risk assessment process managed through K2 Compliance starting with an organization’s hardware.

Found within the hardware information system are categories or groups of like assets such as servers. Records of each individual asset are stored within the K2 Compliance.  Vulnerabilities are identified against each asset that has been selected as part of the risk assessment. Threats are then associated to this group of assets based on the identified vulnerabilities. The system stores a full library of threat events that are associated with specific types of assets. New threats can be easily added to the library during this process.

There may be scenarios where additional scans and tests are performed against an individual asset in the group resulting in the identification of additional vulnerabilities. This, in turn, may present additional threats against that asset that aren’t applied to the entire group.

From here the inherent risk is calculated for each threat associated to an individual or group of assets. These calculations can be based on any number of different methodologies such as NIST, FAIR, ISO, etc.

K2 Compliance provides a full library of security controls from many different frameworks. Each threat has links to relevant controls that, if implemented, will help mitigate the inherent risk scores for an asset. A dedicated project workspace is created per control to assess the compliance status.  Summaries and findings for each control assessed feed into a formal report that the system generates with the click of a button.  

Those controls that are determined to be implemented are applied to their associated threats, mitigating the risk associated with an asset or group of assets.  If the newly calculated risk score falls below the organization defined risk tolerance or threshold, then the risk is accepted and documented.

Mitigation activities are assigned to those threat risks that are still above the risk threshold even after applying any implemented controls. These activities are noted in the mitigation portion of the risk assessment report that is generated at the conclusion of the risk assessment project.