Effective information security management requires identifying and addressing threats and vulnerabilities to protect assets and maintain information integrity, confidentiality, and availability.
Now, in Pirani, threats and vulnerabilities will have a specialized section, where you will be able to create and manage your threat and vulnerability records, associate them to assets and risks, and assign a responsibility for monitoring them in one place and taking into account the ISO 27001 standard.
Threats: These are external events or situations that can cause direct or indirect damage to information security. They can be natural disasters, hacker attacks, or technical failures.
Vulnerabilities are internal weaknesses or flaws in security systems or processes that could be exploited by threats or allow an attacker to affect information security. They can be weaknesses in policies, software, and more.
It is important to remember that threats and vulnerabilities are mainly associated with assets, since they occur under these elements. Also, they do not count in your plan's log count.
→ Remember that this module is available for ISMS management systems, from the Starter plan to the Demo experience.
How do you create a threat or vulnerability?
Within the information security risk management system, click the "Threats and vulnerabilities" section on the left and click the "Create threat and vulnerability" button.
Here, you will find the creation box with the general information, in which you must enter mandatory and optional data.
Name: Give it a name that will allow you to identify the record in the future.
Type: Choose whether it is a threat or a vulnerability.
Category: Choose the category according to the record type you chose in the previous step.
Threats: You can choose physical, natural, human actions, and more.
Vulnerabilities: You can choose hardware, software, and network, among others.
Description: Assign a description to complement the information.
How do you generate associations?
Threats and vulnerabilities can be associated with different records, such as risks, assets, controls, and assigned responsible parties. The close relationship between assets, threats, and vulnerabilities must be considered to make these associations since assets are the main elements to which the threat or vulnerability is linked.
Assets: To generate associations with the assets within the creation of the threat or vulnerability, click on the assets option, then click on the "Associate" button here to find the assets previously created in the information assets section. For the association to be influential, click on the "+" icon of all the assets of interest.
Risks: From the creation of the threat and vulnerability, you can also generate associations with the risks; however, you can only associate risks previously associated with the assets you linked to this threat or vulnerability. For example, If you are creating a malware threat, you must first associate the asset that may be under threat, and this asset will bring the risks that you have associated in its individual creation to link it to the threat.
To link them, click the associate button, choose the information asset, and then click on the "+" icon of the risks you want to link.
Ultimately, you will see that the risk is associated with the threat and vulnerability through that asset.
Controls: This is an informative section showing which controls were added to the assets you linked to this record. To make an association of threats and vulnerabilities to the assets, you must do it from the risk creation in the control associations section.
Responsible: To assign a person responsible for monitoring the threat or vulnerability, click the "Responsible" option in the creation box, click the "Associate" button, and choose the teams you want to assign.
To make the association, click on the "+" icon on the right side of the record to be selected.
How do you bulk import threats and vulnerabilities?
With the bulk upload feature, you can easily import hundreds of records from your organization to the threats and vulnerabilities section using a CSV format file.
To do this, go to the Threats and Vulnerabilities section, click on the three dots next to the Create button, and click on the import option. Here, you will find a box with the option to import the records and the key elements that the file to be uploaded must have.
Here, you will find a detailed tutorial on mass import.