Skip to content

Add criteria for tier 3 to tier 2 upgrade

Madeline Lake requested to merge master-patch-d75b into master

Why is this change being made?

This change is being made to add criteria for tier 3 to tier 2 upgrade.

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
    • The when to get approval handbook section explains the workflow in more detail
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in [#whats-happening-at-gitlab][whats-happening-at-gitlab-slack] linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for [#company-fyi][company-fyi-slack]. Please work with internal communications and check the handbook for examples.

Diff

- OFI's do not have defined remediation SLA's as they are process improvements or
- Observations will **always** impact control effectiveness ratings
- OFIs will **never** impact control effectiveness ratings

+ ## Criteria for Upgrading Observations (i.e. tier 3 information system level risks) to Operational Risks (tier 2)

+ The observation program is a key input to the [StORM program](/handbook/security/security-assurance/security-risk/storm-program/), which manages tier 2 security operational risks. When the following criteria is met, it is an indicator that a larger risk exists and is upgraded to a tier 2 operational risk and therefore included in the StORM program. This criteria is as follows: 
+ - An observation in an entity level control
+ - When multiple observation share root cause and are grouped in an [observation epic](/handbook/security/security-assurance/observation-remediation-procedure.html#root-cause-observation-epics)

+ The process for intiating this process is as follows .......

## Exceptions

Exceptions will be created for observations that breach a mutually agreed upon remediation date, breach in SLA or if the Remediation Owner confirms the observation will not be remediated.

Quick actions for assignment, labels, review requests. Please update them as needed.

This description was generated for revision 4ecb0079 using AI

Merge request reports