Skip to content

Rapid Risk Assessment

Full Process

1. Gathering Information

Target System
  • Identifying the target system being reviewed and a few key individuals
Use Cases
  • Gain a basic understanding of what the service does
  • An RRA is typically organized by someone from the security team and conducted as a one-hour meeting with the service owner and relevant engineers
  • Business use case and an implementation overview

2. Establishing a data dictionary

  • Capture the type of information managed by the service and classify it

3. Identifying and Measuring Risks

  • Risk areas: confidentiality, integrity, and availability of the data
  • Each area is decomposed into impact areas: reputation, productivity, and finances of the organization
  • Total: 9 measurements total (three categories of risks times three types of impacts)
Risk Level

4. Making Recommendations

5. Track Risks

  • The recommendations should be captured as work items in the company’s issue tracker
  • Each recommendation is tracked in its own bug under the parent risk record bug. The risk record is created after performing an RRA on the service, and the bug is closed only after the service is completely decommissioned