Remediating Risk and Responding to Findings

Risk Remediation

There are two parts to the annual IT risk assessments in SPECTRIM. The first is risk assessment, and the second is responding to generated findings.

Just like corrective actions and risk management decisions within the retired risk assessment tool, ISAAC, findings are generated based on how an Assessor answered the questions.

Findings and risk scores (i.e. inherent risk, residual risk) only appear in SPECTRIM after the risk assessment has been completed and approved at all levels.

Findings are generated for each question that was answered as “Partially Implemented,” “Not Implemented” or “Unknown”. These responses demonstrate noncompliance for the related control, which then hurts the risk score due to a potential risk (see “Value” column in Table 1). A finding will not be generated if the question was answered as “Implemented” or “Not Applicable”.

Table 1: Assessment Answer Choices

Response

Value

Description

Implemented

0

The full extent of the requirement has been put into place, documented, and communicated; and is consistently applied.

Partially Implemented

-0.5

Some of the characteristics of the control requirement are being performed, but may not be documented and communicated, nor consistently applied.

Not Implemented

-1

The control requirement is not currently being performed or has not been put into practice.

Unknown

-1

It cannot be determined whether the control requirement is being performed or has been put into practice.

Not Applicable

0

The specific control requirement is not applicable to the component being assessed.

Responding to Findings

The Assessor is responsible for responding to the findings. Findings are the Assessor’s chance to explain why their unit is not in compliance and to potentially explain their plan for improving compliance with the related control(s). The other option is to explain why they are accepting the risk that noncompliance potentially causes.

The Assessor should work with the Division Risk Assessment Coordinator (D-RAC) and/or other senior IT staff in order to come up with acceptable responses. The dean or VP should be informed of responses that require changes in resources (e.g. funding, personnel, equipment, etc.) to improve compliance in certain areas since they will sign off on all assessments for their college or division.

When responding to a finding, the Assessor has the option to either “accept risk” or “remediate risk”. Either choice requires the assessor to provide additional information on why that choice was made. Learn more about how to accept or remediate risks in the Knowledge Base, including a sample remediation response.