Why was the Risk Assessment Extra created?

Prior to introducing the SimpleRisk Risk Assessment Extra in 2018, SimpleRisk contained four available stock assessments (CIS Critical Security Controls, HIPAA, NIST 800-171, and PCI DSS 3.2) where users could take these assessments and answer the questions posed to them. The resulting answers then become pending risks that could either be added as a risk into SimpleRisk or deleted. While these assessments were effective, they were relatively basic and did not address many of the extended risk assessment requirements found in most organizations.

The SimpleRisk Risk Assessment Extra originated from a custom development effort funded by a large university customer on the East coast of the US and a large manufacturing customer on the West coast.  The manufacturing company wanted to streamline the vendor risk assessments they were performing manually at a rate of over 400 annually. The university had several internal teams who were doing custom development and their Security Team was responsible for ensuring that data security and privacy standards were upheld.  

Both essentially wanted to be able to send a list of questions to a contact, receive a response back, use the response to document new risks, and compare results over time. SimpleRisk helped to create a specification that both organizations agreed to and once the development effort was completed, the Risk Assessment Extra was integrated alongside the existing SimpleRisk functionality that they were already using.  This Extra is widely used across our customer base and has undergone countless enhancements since it was first introduced in 2018 and is now able to effectively meet the risk assessment requirements of any size organization.

How is the Risk Assessment Extra used?

The Risk Assessment Extra provides enhanced functionality to perform both internal and external risk assessments. It allows you to create your own custom questionnaires with "Multiple Choice" or "Fill in the Blank" answers, including logic based responses, to your questions. These assessments can be emailed to contacts and the results can then be tied back to control audits or create new risks.  The Risk Assessment Extra also provides a "one-click" import of a variety of risk assessment questionnaires and enables maturity assessments to gauge levels of compliance against your standards. You’re also able to compare the results over time and share the results with others and the system maintains a full audit trail of all risk assessment activities.

In addition, you have the ability to dynamically build Risk Assessment questionnaires. This feature creates both standard (Yes/No/Not Applicable) and maturity (specifying CMMI levels for each control) questionnaires across over 200 different control frameworks and contains questions based on over 1,000 security and privacy related common controls.  Automating this process makes it easily repeatable and has proven to be a huge time saver for organizations.

In addition to these 200+ frameworks, below is a screenshot displaying a variety of other frameworks in SimpleRisk that can be installed at the click of a button, where risk assessment questionnaires can be automatically generated.  

What users would benefit from the Risk Assessment Extra?

Below are examples as to how the Risk Assessment Extra provides benefits to the entire organization and key stakeholders.  

Organizations are able to: 

• Baseline security maturity, identify gaps, determine desired maturity levels and measure progress; 
• Demonstrate security maturity to Customers;
• Demonstrate security maturity to Executive Management and/or Board Members.

Compliance Teams and Auditors are able to:

• Determine where security gaps exist to help ensure regulatory compliance is being met. 

Security Teams are able to: 

• Leverage risk assessments to promote security awareness and drive mitigation efforts;
• Automate and streamline the Risk Assessment process and continually track progress.

Vendors are able to: 

• Mitigate risk to satisfy Customer requirements resulting from Vendor Risk Assessments.

Which plans include the Risk Assessment Extra?

The On-Premise Plus and Premium Packages, along with all of our Hosted Plans include the Risk Assessment Extra. Although our packages provide the most cost-effective way to purchase Extras, for those customers that choose a SimpleRisk On-Premise deployment model, we do offer an A La Carte option if you are interested in customizing which Extras you would like to purchase.

How can I learn more about the Risk Assessment Extra or try it out for myself?

To learn more about the Risk Assessment Extra or discuss specific use cases for how your organization could use it, feel free to schedule a demo online. If you would like to try out the Risk Assessment Extra functionality for yourself, we offer a free (no credit card required!) 30 day trial. Please reach out to SimpleRisk Support if you have any additional questions about the Risk Assessment Extra or any of the additional functionality that we offer.