Risk Ratings/likelihood & impact
The probability for something bad or unwanted to happen.
What is likelihood?
Assessing the risk rating is a one time process?
What is false. Cybersecurity risk is a continuously evolving process, so risk rating should be regularly reviewed and updated to reflect changing conditions.
You should only submit issues if these are not met?
What are the PepsiCo Security Standards.
Both of these roles have access to cancel issues.
Who are the Assessor and the Issue Coordinator.
*However, the cancel button will not be available on issues with pending exception(s).
The effect that can occur if something bad or unwanted happens.
What is impact?
I can artificially inflate a risk rating to prioritize mitigation efforts by the concerned team.
What is false. Risk assessments should always reflect the true level of a risk.
When is the Assessor's task completed?
What is when the issue has been closed or cancelled.
Who must reach out to inform the Issue Owner when and why the issue was created?
What is the Assessor. The Issue Owner should not be contacted for the first time regarding the issue by the Issue Coordinator.
Who should you notify if you classify an issue as high or critical?
What is your Leadership Team and stakeholders
This must also accompany the Security Standard on all issues
What is the Control Objective.
Residual risk should be lower than or equal to inherent risk, but never greater?
What is true.
What is the best way to explain risk so our customers will be more likely to comply and remediate?
What is explaining the risk in business terms.
The Send to Coordinator button on the issue form
What is the button used to send the issue back to the Issues Management team for review.
Risk Ratings should be based on what?
What is objective and verifiable data rather than opinion or subjective judgement
I should create an issue if there is a cyber-risk even if the finding does not go against a PepsiCo Security Standard.
False! We should only create issues for findings that do not comply with the PepsiCo Security Standards.
The Project teams may obtain this to allow the project to go live before remediating the risk.
What is a Security Exception
* There must be an actionable remediation plan listed in the exception.