DASTRA
English
English
  • What is Dastra
  • 🇪🇺USEFUL REMINDERS
    • What is GDPR ?
    • GDPR key concepts
      • Personal data
      • Record of processing activities (ROPA)
      • Privacy impact assessment
      • Data retention period
      • Data Subject Rights (DSR)
      • Privacy by design and by default
      • Security measures
      • Data breach notifications
    • Risk management
      • Definition of risks
      • Risk assessment
      • Vendor risk management
  • 🧑‍🎓GETTING STARTED
    • Setting up
      • Create and set up a workspace
      • Create and set up organizational units
      • Appointing a DPO
      • Add a lead authority
      • Invite users
      • Managing roles and permissions
      • Create and assign teams
      • Frequently asked questions
    • Tutorial
      • Step 1: Setting up
      • Step 2: Map your personal data processing and draw up a register
      • Step 3: Managing risks
      • Step 4: Prioritize actions
      • Step 5: Implement internal processes
      • Step 6: Document compliance
    • Support
      • The dastronaut's assistant
      • Online help
      • Request support
      • The customer support process
  • ⚙️Features
    • Dashboard
    • General
      • Advanced Filters
      • Import your data (Excel, Csv)
      • Tag management
      • Custom fields
      • AI Assistant
      • Email templates
    • Data Mapping
    • Record of processing activities
      • "Data controller" record
      • "Data processor" record
      • Establish your record
      • Export / import the record
      • Use a processing activity template
      • Declare a processing activity
      • Complete a data processing activity
        • General information
        • Stakeholders
        • Purposes
        • Dataset
        • Assets
        • Data subjects
        • Data subjects rights (DSR)
        • Recipients
          • Data transfers outside the EU
        • Security measures
        • Impact analysis
        • Documentation
      • Create relationships between processing activities
      • Processing freshness
      • Share the record of processing
      • Data visualization
        • View the treatment tree
        • View the record data map
        • View the transfers map
      • Frequently asked questions
    • Audits and DPIA
      • Create or modify an audit template or DPIA
      • Scheduling an audit or a PIA
      • Share an audit report or PIA
      • FAQ
    • Privacy hubs
      • Create a Privacy hub
      • Configure your Privacy hub
        • Homepage and general configuration
        • Questionnaires
        • Data subject requests
        • Record of processing activities
        • Attachments
        • Organizational chart
        • Contacts
        • Security
        • Appearance and design
      • Preview and share your privacy hub
      • Collecting data processing projects from a Privacy hub.
    • Contracts
      • Declare a Contract
      • Structure of a contract
      • Documents
      • Assets
      • Signers
      • Linked users
      • Sign the contract
      • Docusign integration
      • Contract versions
      • Contract templates
    • Risk management
      • Glossary of terms
      • Risk management process
        • 1. Identification
        • 2. Assess
        • 3. Monitor
        • 4. Control
        • Let's recap
      • Dastra / eBios RM comparison
      • Attach a risk to a processing activity
      • FAQ
    • Planning
      • Create your action plan
      • Create or modify a project or an iteration
      • Monitor, screen or export your tasks
      • Customise the task workflow
      • Share as calendar
      • Customise the task workflow
      • Go further with planning
      • FAQ
    • Data subject right request
      • Manage data subject right requests
      • Set up a data subject right request widget
      • Technical integration
      • API integration
    • Manage data breach notifications
      • Report a data breach
      • Export your data breach notifications
    • Manage cookies consent
      • Widget configuration
        • Preliminary study
        • Cookies scanning
        • Classify cookies by consent categories
        • The purposes of cookies
        • Implement a cookie consent widget
        • Collect proof of cookie consent
        • Go further on cookie consent
        • In case of unavailability
      • Technical integration
        • Functioning of the widget
        • Quick start
          • Wordpress
        • Language management
        • Test the integration of a widget
        • Blocking cookies
          • Blocking iframes (twitter/youtube...)
          • Google Tag Manager
        • Advanced Design
        • Manage consent programmatically
        • User identification
        • Mobile applications
          • Hybrid applications
          • Native applications
        • TCF 1.1/2.0
      • RGAA compliance
      • Breakdown service
    • Regular review (freshness)
    • Custom Reporting
      • Integration with data analysis tools (BI)
    • AI Systems
      • Establishing a record of AI systems
      • Risk analysis and business value
      • Transparency notice
      • AI Models repository
    • Advanced configuration
      • SCIM
      • Roles and permissions
      • Single Sign On (SSO)
        • SAML 2
        • OpenId
        • ADFS
        • Active Directory
        • Okta
        • Known problems
      • References
      • API key management
      • Notifications
      • Workflow steps / process flow
      • Incoming mail data collection
      • OneDrive/Google Drive integrations
      • Webhooks
      • SMTP configuration
      • Workflow rules
      • Message templates
      • Email domains
  • PARTNERS
    • Portal
  • 📄API documentation
    • Configuration
    • Authentication
    • API References
    • Integrations
      • Frequently asked questions
  • 🛡️Security
    • Security at Dastra
    • Security roadmap
    • Quality of Service
  • Certifications
  • 🤖Other
    • FAQ
    • Known problems
    • Changelog
  • Referentials
    • CNIL referentials
      • HR referential from CNIL
Propulsé par GitBook
Sur cette page

Cet article vous a-t-il été utile ?

  1. Features
  2. Risk management
  3. Risk management process

1. Identification

Learn how to identify risks in Dastra.

Dernière mise à jour il y a 1 an

Cet article vous a-t-il été utile ?

When creating a new risk, you are asked to fill in the identification details.

Position your risk in an organizational unit (by default, this will be the same as the treatment unit if the risk is attached to a processing activity).

Define an owner for each risk. This person will be responsible for monitoring and managing the risk.

And choose a risk type.

Dastra lets you create a risk type repository. This will save you time and enable you to reuse risk types on other assets.

If your risk type is not in the repository, don't worry, just add it directly from this interface.

Add a risk type

By creating a risk type, you can reuse this information to generate this type of risk on as many assets as you wish. For example, you may wish to identify the same risk on several of your subcontractors. All you need to do is enter the risk type once, and reuse it for each subcontractor or service provider.

Identifying the type of risk

A risk can be defined as the combination of a feared event and one or more threats of this feared event occurring. It is measured in terms of likelihood (probability of occurrence) and severity (impact).

Dreaded event

To add a type of risk, it is necessary to identify the feared event and its impact. The feared event is the consequence of the occurrence of a risk.

Classically, 3 types of feared event are evoked in terms of information systems security and/or privacy. In fact, the RGPD calls on us to guarantee the security of personal data along these three lines.

  • Breach of confidentiality

  • Breach of availability

  • Breach of integrity

With Dastra, the possibilities for creating feared events are unlimited. You can create your own categories of feared events. We can also imagine an industrial accident, an act of corruption, etc. In our approach, we'll concentrate initially on risks to information systems. For each feared event, you are asked to specify the impact it will have on the situation.

In the description of the feared event, specify the impacts.

Impacts may vary depending on the context and the object for which the risk is being addressed. In the case of risks relating to personal data, the impacts will consist of damage to individuals (identity theft, false accusations, loss of civil status, etc.).

Threats

For each feared event, we need to identify the threat(s) that will enable it to occur. A scenario needs to be devised. You can use past events or your imagination to anticipate what might happen.

Dastra offers template repositories in particular for generic threats. To import them, you need to search for generic threats in the library by selecting the "templates" source.

Sources

Risk sources are the elements that will enable the feared event to occur (who or what could cause the feared event?).

To do this, we need to take into account human sources: e.g. a computer administrator, a cyber-attacker, a foreign state... and non-human sources: e.g. water, an earthquake, a non-targeted computer virus.

Control points

For each risk, we need to identify the existing or planned measures that will enable us to deal with the risk.

These control points can be of several types:

  • security measures,

  • technical measures,

  • organizational measures,

  • or legal or functional measures.

ISO 27001 identifies standard control points for information system security risks. The CNIL data security guide also proposes a number of control points in the field of personal data protection.

Pre-assessment

Within a risk type, you can include a risk assessment. This assessment will be included in the final risk.

Pre-assessment allows you to save time on the future risks you will have on this basis. The assessment is made in terms of probability and impact, according to the scale you have set.

You can identify the initial risk: this is the theoretical risk associated with the activity.

It can also be defined as the initial risk, before any control measures (internal control). You can also identify the residual risk: this is the risk remaining after the implementation of control measures (control points in particular).

⚙️
Identification