What does "Status" on knowledge base do?

[mrapnx]

Dear all,

I could'nt find any hints on the user-/method-guide so maybe you could help: There ist a "Status-Button" for any threat, vulnerability and information risk on the knowledgebase (Button in shape of check mark or cross). What happens, if I deactivate a threat, vulnerability or information risk? Apparently, it doesn't do anything on my risk analysis, as the risks are still present, no matter if on of the mentioned entries is active or not.

1. What do the status of these entries affect?
2. Does anybody know how I can ignore specific threats, vulnerabilities or information risks on my analysis w/o removing them from the knowledge base?

Kindest regards
Marcus

[ruslanbaidan]

Hello,

1. Informational risks are created based on Asset Types, Threats and Vulnerabilities. If one of those is deactivated, then it would not be possible to create a new informational risks based on it.

2. If one of the informational risks deactivated, when a new asset is created the risk should not be presented in the list of risks linked to the asset (based on the relation with the asset type code).

What I currently tested there is an issue with the second scenario.

We need to think if the status change should have an impact on already created assets and informational risks already presented in the analysis.
Currently, when an instance risk is removed from the knowledge base, we convert all the linked risks presented in the analysis to specific (custom) and they are highlighted in blue.

Any suggestions and ideas on this are welcome!

[mrapnx]

Dear Ruslan, many thanks for clarification! I would appreciate it very much if one could (optionally) link the status of the entities with the information risks of the risk analysis. So it would be possible to automatically remove/deactivate information risks from the risk analysis because, for example, the vulnerability no longer exists (or vice versa: I can automatically add risks because a vulnerability is now applicable that wasn't before). Ditto threats.

Kindest regards
Marcus

[ruslanbaidan]

Dear Marcus,

Thank you for sharing your ideas!

The functionality, described by you, is quite complex to implement and can take quite a lot of development time.

I propose you to create a ticket from the discussion (Create issue from discussion) with a detailed description of all the scenarios you mentioned. The next step, we can plan the development depending on the current priorities and loading.

By detailed description means explanation of each entity behaviour (Asset type, Threat, Vulnerability, Instance Risk) when status field is changed. What happens to the existed library objects (assets) and informational risks (already presented in the analysis).
The things which should be taken in the consideration are fields like Existing controls, CIA criteria, threat and vulnerability evaluation values, implemented and linked recommendations. All of the mentioned things can be already defined / linked to a particular risk and we need to handle those values, as a solution - restore in case if informational risk will be activated again. All the recommendations should be restored in this case as well.
The other thing are, If all the informational risks linked to a specific asset are deactivated, we need to remove or hide the asset from the analysis and library.
If for instance a threat or vulnerability is deactivated, we should search for all the informational risks where it is linked in the current analysis and in library and deactivate all the risks.

I described only some of the possible scenarios and challenges we can have to make the functionality working.
But those things are really interesting to be implemented in Monarc and can a good addition to the product features.

[jerolomb]

Hello,

I would like to add that you can already delete a risk (link of asset, threat, vulnerability) that is useless for you. If you don’t want to use a threat or a vulnerability, you can also delete it, but take care it will delete the associated risks in the knowledge base. In the risk analysis part, the delete is softer as a deleted risk goes to a specific one and you can delete it manually once in the analysis.

Adding a mechanism like you describe is very complex. MONARC already has a lot of rules that we have to manage with during import (and not only) to guarantee the integrity of the analysis. And I think adding a new one is not a good solution, and not an urgent functionality for the tool.

For me the most comfortable way to don’t manage threat or vulnerability in the risk analysis part is just to put as existing controls “N/A” or something like that on the risk you don’t want to handle at the moment. In that way in a next iteration on a risk analysis, you can review the “N/A” and maybe decide to manage them. I know that’s not the best solution. Maybe the solution is to deactivate directly in the risk analysis the risk (instead of the KB). But it’s also a huge development.

[mrapnx]

Dear Ruslan, dear Jérôme, thank you for your reply!

I see that it's currently not possible to remove risks from the analysis by deactivating them (or entities of them) on the knowledge base.

Ruslan wrote:

2. If one of the informational risks deactivated, when a new asset is created the risk should not be presented in the list of risks linked to the asset (based on the relation with the asset type code).

I tried that, but the newly created asset (of the according type) still carries the deactivated risks:

Jérôme wrote:

For me the most comfortable way to don’t manage threat or vulnerability in the risk analysis part is just to put as existing controls “N/A” or something like that on the risk you don’t want to handle at the moment. In that way in a next iteration on a risk analysis, you can review the “N/A” and maybe decide to manage them. I know that’s not the best solution. Maybe the solution is to deactivate directly in the risk analysis the risk (instead of the KB). But it’s also a huge development.

What field do you mean with "put control to "N/A"? I found "Probability" or "Qualifier" which can be set to "0" or "-1" but not "n/a".

Kindest regards
Marcus

[jerolomb]

Hello,
The field i was talking is this one :

In a next iteration you can search on N/A and review them in priority. If you don't want them anymore delete them in risks in the Knowledge Base.

Kind Regards
Jérôme