Configuring and Managing Risk

Risk is assigned to profiles using attributes to help identify risks and assess the threat they pose. A profile's risk is increased by adding attributes with risk, and decreased by adding attributes to mitigate the risk. Non-Employee Risk Management calculates the risk and is displayed as an overall risk score and risk level for the profile.

Note

By default risk is disabled for all profile types and must be enabled for the overall risk score and risk levels to be displayed.

Configuring Risk Scale and Risk Levels

The risk scale allows risk to be measured on a defined scale between 0 and 10. Risk levels allow you to define named levels of risk based on thresholds configured on the risk scale. Profiles display the risk level name for the risk level that its overall risk score is within.

The number of risk levels and their threshold values can be configured based upon your organization's requirements. Threshold values are configured using the risk scale. The threshold where a risk level starts and ends is set between 0 and 10, with 0 being the least risk and 10 the greatest. Where one level ends, the next will begin.

By default, configured risk levels are named and ordered as Low, Medium and High. New risk levels are added to the end of the risk scale. Existing and new risk levels cannot be reordered. To change the order, rename existing levels and adjust the thresholds as needed.

To add a risk level:

1. Go to Admin > Lifecycle > Risk.
2. Select the RISK SCALE tab.
3. In the levels section, enter a name in the Level name field.
4. Select to add the new level to the end of the risk scale.
5. In the Global Risk Scale section, select the slider icon .
6. Drag the slider to the left to decrease, or the right to increase the threshold values. Adjusting a threshold will adjust the threshold of adjoining risk levels.
7. Select save.

To rename a risk level:

1. Go to Admin > Lifecycle > Risk.
2. Select the RISK SCALE tab.
3. In the levels section, select the level you want to rename.
4. Rename the level.
5. Select save.

To delete a risk level:

1. Go to Admin > Lifecycle > Risk.
2. Select the RISK SCALE tab.
3. In the levels section, select next to the level you want to delete.
4. (Optional) To reconfigure remaining risk level thresholds:
   • In the Global Risk Scale section, select the slider icon .
   • Drag the slider to the left to decrease, or the right to increase the threshold values. Adjusting a threshold will adjust the threshold of adjoining risk levels.
5. Select save.

Adding Risk to Attributes

Once you have configured risk levels in your tenant, you can add risk to profiles by assigning risk scores to attributes.

Risk scores are a defined value that reflects the severity of a risk, and are used to calculate an attribute's risk and contribute to a profile's overall risk score.

A profile's overall risk score is displayed as a graph of impact and probability. Attributes that contribute to a profile's risk score must be assigned a risk type, which determines whether they contribute to a profile's risk impact, probability, or both.

Attributes with risk assigned to them are listed on the Risk Scoring page in the Attributes With Risk section. Risk can also be assigned when creating and editing attributes.

Mitigation can be applied to an attribute to reduce its risk score. For example you may choose to mitigate risk for an attribute if the non-employee was a previous employee of your organization.

To assign risk scores to an attribute:

1. Go to Admin > Lifecycle > Risk.
2. Select the SCORING tab.

3. In the Add Risk to an Attribute field, start entering the attribute name and select the required attribute.

   Note

   Only option based attribute types, such as drop-downs, check boxes, radio buttons, profile search, and profile select can be assigned risk scores.

4. Select the Risk type to assign to the attribute. The available options are dependent on the type of attribute.

   • Impact - Defines the effect the risk will have.
   • Probability - Defines the likelihood of the risk occurring.
   • Impact and Probability - Defines the effect of the risk occurring and the likelihood.
   • Inherited - Risk is inherited from the selected profile. Inherited risk is only available for profile search, and profile select attribute types.
   • None - No risk is assigned to the attribute.

5. Enter a risk score between 1 and 10 for each option, with 1 the least risk and 10 the greatest risk. Non-integers are rounded to 2 decimal places.

6. Select save.

The attribute with risk is displayed in the Attributes With Risk section. The overall risk score for profiles assigned the attribute are automatically recalculated.

To edit risk scores for an attribute with risk:

1. Go to Admin > Lifecycle > Risk.
2. Select the SCORING tab.
3. In the Attributes With Risk section locate the attribute you wish to configure.
4. Select the Risk type to assign to the attribute. The available options are dependent on the type of attribute.
   • Impact - Defines the effect the risk will have.
   • Probability - Defines the likelihood of the risk occurring.
   • Impact and Probability - Defines the effect of the risk occurring and the likelihood.
   • Inherited - Risk is inherited from the selected profile. Inherited risk is only available for profile search, and profile select attribute types.
   • None - No risk is assigned to the attribute.
5. Enter a risk score between 1 and 10 for each option, with 1 the least risk and 10 the greatest risk. Non-integers are rounded to 2 decimal places.
6. Select save.

The overall risk score for profile's assigned the attribute are automatically recalculated.

Mitigating Risk

Risk can be reduced for an attribute based upon the value of another attribute. For example you may choose to reduce risk if a non-employee that works remotely was a previous employee of your organization.

To add mitigation to an attribute with risk:

1. Go to Admin > Lifecycle > Risk.
2. Select the SCORING tab.
3. In the Add With Risk section locate the attribute you wish to add mitigation to.
4. In the Mitigating Attributes field, start entering the attribute name and select the required attribute.
5. Select Option and choose the option that applies the mitigation.
6. Enter a mitigation score between 1 and 10 for each option, with 1 the least risk and 10 the greatest risk.
7. Repeat for all attributes you want to apply mitigation to.
8. Select save.

The overall risk score for profile's assigned attributes containing mitigation are automatically recalculated.

Configuring Subcategories

Subcategories provide an additional risk score for profiles to help identify additional risk. Any attributes with risk can be added to a subcategory. For example, you could create subcategories for departments that have different risk factors, and select different attributes for each.

Subcategories are displayed on a profile's overall risk breakdown, but do not affect the profiles overall risk score.

Creating a Subcategory

1. Go to Admin > Lifecycle > Risk.
2. Select the SUBCATEGORIES tab.
3. Select + Subcategory.
4. In the New Risk Subcategory screen, enter a name in the Label field.
5. Select Create.
6. In the Subcategory Risk section, select the risk attributes to include in the subcategory.

The subcatgory is displayed on the overall risk breakdown of profile's assigned the selected subcategory risk attributes.

Updating a Subcategory

1. Go to Admin > Lifecycle > Risk.
2. Select the SUBCATEGORIES tab.

3. Select the name of the subcategory you wish to edit.

   The DETAILS screen is displayed. It contains the name, and list of available risk attributes for this subcategory.

4. In the Label field, update the name.

5. In the Subcategory Risk section, select the risk attributes to include in the subcategory.
6. Select save.

Deleting a Subcategory

You can delete subcategories individually or bulk.

1. Go to Admin > Lifecycle > Risk.
2. Select SUBCATEGORIES tab.
3. Select the checkbox beside the subcategories you want to delete.
4. To select all subcategories, select the checkbox next to the RISK CATEGORIES header.
5. Select the ellipsis icon next to the Actions header and select Remove.

Enabling Risk for a Profile Type

Once you have configured your risk levels and added risk and mitigation to attributes, you can enable risk for a profile type.

To enable risk for a profile type:

1. Go to Admin > Lifecycle > Risk.
2. Select the SETTINGS tab.
3. Set RISK to ON.

The overall risk score is calculated and displayed on profile's within the enabled profile type.

Tip

Enabling risk for a profile type automatically adds the risk_score attribute in a hidden state to its related table. Unhide the attribute to display the overall risk score in the table.

How the Overall Risk Score is Calculated

The overall risk score for a profile is calculated from the risk scoring and mitigation assigned to each attribute, or risk inherited from other profiles.

Note

Subcategories are displayed on a profile's overall risk breakdown, but do not affect the profile's overall risk score.

The overall risk score for a profile is calculated as follows:

Risk Element	Calculation
Overall Risk Score	The average of the avg impact score and avg probability score. NOTE: If risk is inherited from another profile, and the inherited profile has a greater overall risk score, the overall risk score for the profile will be set to the overall risk score of the inherited profile. For example, if a profile has an overall risk score of 4.0, and its inherited profile has an overall risk score of 7.0, the profile will display an overall risk score of 7.0.
Average Impact Score avg impact score	Each impact attributes risk score less mitigated by score to create the impact attributes residual risk score. The impact attributes residual risk scores are then averaged to calculate an avg impact score.
Average Probability Score avg probability score	Each probability attributes risk score less mitigated by score to create the probability attributes residual risk score. The probability attributes residual risk scores are then averaged to calculate an avg probability score.

Viewing Overall Risk

Selecting the overall risk score on the profile table or profile detail page displays the profile's risk breakdown. Details of each element that is assigned are displayed.

• Overall Risk - The overall risk score and risk level assigned to the profile. For further information on how the overall risk score is calculated refer to Calculating the Overall Risk Score.
• Impact or Probability - Attributes with the impact or probability risk types that are assigned to the profile.
  • Attribute - The attribute assigned to the profile.
  • value - The chosen option for the attribute.
  • risk - The risk score assigned to the chosen option.
  • mitigated by - The name of the mitigation attribute, its chosen option, and the assigned mitigated risk score. If there is no mitigation assigned this will be blank.
  • residual risk - The attribute's risk score after mitigation is applied.
  • avg impact/probability - The averaged value of all impact or probability attribute's residual risk scores.

Notes

• If the profile inherits risk from another profile, the overall risk score is overridden by the inherited profile. An asterisk is displayed on the overall risk score, and details of the inherited profile are displayed at the top of the breakdown chart.
• If the profile includes a subcategory, details of the subcategory are displayed at the bottom of the breakdown chart.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.