10. Risk treatment plans (RTP)#
The follow-up document to a risk analysis is the risk treatment plan (abbreviated as RTP). This is a document containing the objectives and benefits of security measures for managing individual unaccepted risks, the designation of the person ensuring the enforcement of security measures for risk management, the necessary financial, technical, human and information resources, the date of their implementation, a description of the links between risks and relevant security measures and the method implementation of security measures.
Security measures are implemented in accordance with this risk treatment plan. Documents based on the risk assessment, including the risk assessment itself, must be regularly updated and must take into account not only significant changes, but also changes in the scope of the ISMS, measures according to § 11 ZKB and cyber security incidents, including previously resolved ones.
10.1. List of risk treatment plans#
After going to the Risk treatment plans module, user will be
presented with a list of all the plans to which they have access rights.
The distribution of permissions in this case is as follows:
Role |
Rights |
|---|---|
Admin |
Has rights to see and edit all available unfinished plans. |
Manager |
He/she has rights to see and edit the plans he/she created and assigned to by the administrator. A user with the manager role also has all permissions as an analyst. |
Analyst |
He/she has rights to participate in the creation of plans to which he/she has been assigned. He/she does not have the right to edit plans parameters, but can edit rows of plans and request approval from the manager. Can add comments. |
Client |
Client has rights to view and comment on plans that have been created for his/her company. |
Auditor |
Has read access to all sections, can add comments. |
10.2. Create new RTP#
Creating an RTP on the Risk Flow platform is possible by clicking on the
New risk treatment plan button or by opening
https://INSTANCE-NAME.riskflow.cz/en/risks/risk-plan/create.
Parameter |
Required |
Description |
|---|---|---|
Client |
Yes |
Selects the client for which the RTP will be processed. |
Analysis |
Yes |
Selection of a completed and manager approved risk analysis for which a risk treatment plan will be prepared. |
Type |
Yes |
Choose from the following options:
|
Title |
No |
Name of risk treatment plan. It serves for better orientation. |
Responsible manager |
Yes |
Only users with the |
Risk analysts |
No |
Only users with the role |
Deadline |
Yes |
Setting a deadline to resolve. It cannot be set to the past or to today’s date. |
Upon successful creation of a risk treatment plan, assigned analyst and manager are notified by email. The information email will not be sent to the user who triggered the action, i.e. if the plan is created by a manager, he/she will not receive an informational email about being assigned to the plan. In this way, Risk Flow tries to minimize the amount of informational emails.
10.3. Edit RTP#
Editing of plans is possible in the update form, which the user can open
in the RTP list via the three dots icon or in the details of the
risk management plan via the Edit button.
10.4. Copy RTP#
A user with edit rights to a specific RTP can create copies of it. When
copying, it is necessary to set the same parameters as when establishing
a new risk management plan. All RTP rows are duplicated in this process.
This feature is very useful when performing revisions of previously
completed RTPs. Copying is possible via the copying icon in the list
of all available RTPs or in the detail of a specific RTP. The
responsible manager and analysts are informed by email about the
assignment to RTP.
10.5. Delete RTP#
RTP deletion is possible in the list of available plans or in the detail of a specific risk treatment plan. An authorized user can delete plans that are not part of any approval processes.
10.6. Export RTP#
Plans can be exported in the appropriate module by clicking on the
Export button and selecting the type of export.
Export do MS Excel#
Export of risk treatment plans to a Microsoft Excel sheet has the following structure. Language of the export is set according to the user’s language settings.
Column |
Description |
|---|---|
# |
Record number in the export |
Client |
Client’s name |
Deadline |
Date |
Title |
Title of the risk treatment plan |
Responsible manager |
A user with the role |
Analysts |
List of users with the role |
Stav |
|
Completion |
Plan completion progress expressed in %. |
Created at |
Date the record was created. |
Creation time |
Time the record was created. |
Created by |
Email of user who created the record. |
Modified |
The date the record was last modified. |
Modification time |
The time the record was last modified. |
Modified by |
Email of user who made last changes. |
Export do PDF#
The schedule list export to PDF format contains an inventory similar to the listing in the application. It contains the information below. The report language adapts to the currently used application language.
Column |
Description |
|---|---|
# |
Record number in the export |
Client |
Client’s name |
Deadline |
Date |
Title |
Title of the risk treatment plan |
Responsible manager |
A user with the role |
Analysts |
List of users with the role |
Stav |
|
Completion |
Plan completion progress expressed in %. |
Export do JSON#
Exporting plans to JSON format is only available to instance administrators. This type of export can only be used in the Enterprise license. The exported file can serve as a simple backup or can be used to import into third-party applications.
10.7. RTP detail#
Authorized users can view the risk treatment plans available to them. Administrator or responsible persons can add and edit row. Users with edit permission can edit plans that have not yet been approved directly in its detail, just as asset management works.
Adding rows#
When a new risk treatment plan is created, all unacceptable risks from the relevant risk analysis are automatically imported to it, or also acceptable ones depending on the type of risk treatment plan being created. Acceptable risks can be added and removed from the plan. Unacceptable risks cannot be omitted from the risk management plan.
The form for adding a risk can be found at
https://INSTANCE-NAME.riskflow.cz/cs/risks/risk-plan/\<ID RTP\>/row/create/ or by clicking the Add to plan button. In this form, you can take advantage of the Risk Flow catalog, from which you
can draw specific texts describing measures, their goals and benefits,
and evaluation metrics. Searching the catalog works after entering at
least three characters and its use is demonstrated in the following
image.
Parameter |
Required |
Description |
|---|---|---|
Risk analysis row |
Yes |
Selection of the risk of the relevant risk analysis for which th security measures will be proposed. |
Edit RTP row#
An authorized user can edit the rows of the plan directly in its detail or in edit form of a specific row. In this form, you can take advantage of the Risk Flow catalog, from which you can draw specific texts describing measures, their goals and benefits, and evaluation metrics. Searching the catalog works after entering at least three characters and its use is demonstrated in the following image.
Use of the risk catalog is possible in this form for the following fields – Measures, Description of measures, Objectives and benefits, Metric for evaluation.
Managers and analysts can add to the risk catalog by leaving the Add to risk catalog box checked. The catalog can be used by all managers
and analysts for all risk analyses, and therefore texts specific to
the client being processed should not be added to the catalog. Only
the instance administrator has rights to edit the catalog.
Parameter |
Required |
Description |
|---|---|---|
Identification |
Yes |
Identifier to improve orientation in the system. |
Measure |
Yes |
Name of the security measure. |
Measure description |
Yes |
Detailed description of the proposed security measure. |
Goals and benefits |
Yes |
List of what the implementation of the measure will achieve. |
Responsible manager |
Yes |
Person, department, or company responsible for implementing the security measure. |
Implementation deadline |
Yes |
Deadline for the implementation of measure. |
Technical sources |
Yes |
Inventory of necessary equipment, space, etc., required to successfully implement the measure. |
Financial sources |
Yes |
Estimate of the financial cost of implementing measure. |
Human sources |
Yes |
Estimation of the time required toimplement measures (e.g. MD - man-days) |
Evaluation metric |
Yes |
Definition of a measurable way to verify the effectiveness of the applied security measure. |
Delete RTP row#
An authorized user can delete the rows of a plan not yet approved
directly in its detail in the detail of a specific row after opening
the relevant form by clicking on the trash can icon and then
confirming in the modal window.
10.8. RTP approval#
Once all the lines are completely filled in and the risk treatment plan completion shows a value of 100%, the plan can proceed for approval.
Request for completed RTP approval#
A user with a manager or analyst role can submit an RTP approval request. The responsible manager is notified of the request by email and invited to take action.
Approval or return for completion#
Approval is done by the responsible manager of the specific plan. Once the plan is approved, it is locked for editing and can be further used in approval flows. Until the plan is approved by the responsible manager, it is possible to edit it further. As long as the plan is not part of the approval flow, the responsible manager can withdraw his approval and return the plan to the analysts for further development.
10.9. Comments#
Authorized users can add comments to plans. All comments can be viewed
by clicking on the Comments button, which opens a page with a list
of existing comments and a form for adding a new one.
Add comment#
It is possible to add a comment after filling in the appropriate field
for entering the text of the comment and sending it with the Add comment button.
Internal and public comments#
Users can add internal and public comments. Internal comments are not displayed to clients for whom a risk treatment plan is being processed. Administrators, managers, analysts and auditors can see all recorded comments and attachments.
Attachments to comments#
Attachments can be added to each comment. To select multiple attachments, hold down the CTRL key and left-click to select multiple files to insert, or select all files to upload and drag them to the file upload field.