What is the Cybersecurity Risk Register?

The Cybersecurity Risk Register is used to record control deficiencies, etc. that contribute to an organization’s risk portfolio.

Risk registers are a widespread utility among cybersecurity professionals that allow practitioners to track and measure risks in one place. This type of reporting quickly aligns teams to the initiatives that matter and save us valuable resources, time and labor. Risks are primarily sourced from Cybersecurity Risk Assessments, but are also added from various tools such as Qualys, Cisco AMP, etc and discussions that occur on campus. The Risk Register displays a list of all risks recorded and displays various risk details, including the residual risk level, risk source, risk owner, risk stage, and the treatment status of the risk.

The UW-Madison Cybersecurity Risk Register is stored, maintained, and updated in OneTrust. (See OneTrust - How to access OneTrust ) The OneTrust Risk Register can be accessed here
Access in the Risk Register is configured to only show relevant risks depending on who is logging in. Most users will only see risks related to assessments they participated in. Other users, such as Risk Executives, HIPAA Security Coordinators, and HIPAA Privacy Coordinators will see all risks for their Division.
Risks are managed in 4 stages:
Identification - Risk has been identified but has not been evaluated to understand appropriate mitigation.
Evaluation - Risk is currently being examined to best understand how to mitigate.
Treatment - Risk is actively being mitigated.
Monitoring - Risk has been mitigated and is being monitored for changes that may increase its Risk Level in the future.
2021-11-15_15-50-50

If you have questions about the UW-Madison Risk Register, please contact the Office of Cybersecurity at cybersecurity@cio.wisc.edu.