Skip to main content

risks-findings-observations

Risks, Findings and Observations

In the realm of security and compliance assessments, "Risks" are identified and articulated based on the information presented in "Findings" and "Observations." Here's a breakdown of the process:

Observations

Observations are typically the raw data or facts identified during the assessment. They capture what the assessor noticed, without necessarily assigning a value judgment.

For instance, an observation might note that a certain server lacks a recent security patch.

Findings

Findings are derived from observations and are more evaluative. They indicate whether an observation has implications for compliance, security, or other assessment criteria.

Building on the previous example, a finding might state that the server's lack of a recent security patch makes it vulnerable to a specific known exploit.

Risks

Risks are broader evaluations that consider the potential consequences and implications of findings. They look at the potential harm or impact that might result if the issues noted in findings aren't addressed.

Continuing with our example, a risk might point out that the server's vulnerability could lead to a data breach, potentially exposing sensitive customer data and incurring legal penalties.

Together:

In this sequence:

  • Observations provide the factual basis.
  • Findings offer an evaluative judgment based on those facts.
  • Risks project forward to estimate the potential consequences and impacts of those findings.
  • After an assessment, the risks identified based on findings and observations are typically used to prioritize remediation efforts. The most critical or high-impact risks might be addressed first, followed by less severe ones. This process helps organizations manage their security postures effectively and allocate resources where they are most needed.