In Tenacy, the Application and Provider perimeters cannot be directly linked to security measures. Unlike an internal security perimeter within the organization, the Application and Provider objects do not have a security base.
Therefore, technically, Tenacy does not allow you to track the compliance of applications and providers, simply because each organization cannot know which security measures are actually implemented by external providers to remain compliant.
However, with the following use case, you will be able to easily track your risks in the platform.
🔎 Feel free to read the articles in the Risks section or take training on the module to learn more about risk management in Tenacy.
Create a Buffer Perimeter
As you know, risk management in Tenacy is only possible if you have at least one dedicated perimeter to link your risks to.
So, we recommend creating a “buffer” perimeter associated with all of your organization’s applications and/or providers.
💡 To learn how to create a perimeter, read this article.
Create Your Risk Registers
Once the buffer perimeter is created, to clearly distinguish the different risks related to each application or provider, create one risk register per application/provider, and name each register after the corresponding application/provider.
Example:
If we want to track risks for Application A, we create a risk register called “Risk Analysis – Application A.”
💡 How to create a risk register? Follow this guide.
This approach will also give you a clear and detailed view per application/provider and make it easier to produce relevant reports.
Create and/or Import Your Risks
Within each risk register, you can import the various risks and link them to the previously created buffer perimeter.
Once the risks are imported, you can then set up their treatment plan.
Track the Risk Treatment Plan
After your risks are created in each register, you can create the related actions to monitor their treatment.
💡 Normally, Tenacy suggests adding security measures to each risk’s treatment plan, which allows the platform to automatically calculate its treatment rate.
However, in our use case, since the buffer perimeter groups several applications and/or providers, it is difficult to use security measures to treat these risks, because each measure is specific to a given application/provider and has a different performance level.
Just like with your risk registers, you should therefore create one action register per application/provider in the Action Plans module.
In other words: one risk register = one action register.
Example:
Continuing with Application A: we created the risk register “Risk Analysis – Application A” and then create the action plan “Risk Analysis – Application A”.
In each register, create simple actions and try to be as explicit as possible so you can clearly see which risk each action corresponds to.
Example:
We created a risk for Application A:
“Faulty reduction of the platform's attack - Application A”, visible in the Risk Analysis – Application A register, with a custom risk ID:
and the associated action register “Risk Analysis – Application A” with the two actions to be carried out for this risk:
The two actions include the ID of the related risk in their title, which makes it easy to find which actions are linked to which risks.
Once the actions are created, add in the risk description the actions to be carried out to mitigate this risk :
You can also add, in the description of each action, the percentage of risk reduction it provides (which can be useful when managing risks through actions).
Forcing Your Risk Values
Next, for each of your risks, you will need to define the current reduction level and the target.
This is done directly in the risk’s settings by checking “Override computed values?” :
We recommend always setting the target to 100%.
In our example, with the two actions created, we consider that each action reduces the risk by 50%.
At this point, since our actions are not yet completed, our risk looks like this:
And the treatment rate is 0%:
Tracking Your Risk Treatment Plan
Now that the target and current reduction level are set, you just need to plan and complete your actions to reduce your risk.
Continuing with our example from the article, we consider that our action AC001 is now completed, and that it reduces our risk by 50%.
Once the action is completed, we go back to the associated risk and update the current reduction level to 50%, which automatically gives a risk treatment rate of 50% :
