Uncategorized

What is a cyber security risk assessment ?

What is the value of cyber security risk assessment ?

Who should carry out a cyber security risk assessment?

What framework is best for you for cyber security risk management ?

How often should an organisation perform cyber security risk assessment ?

How to conduct cyber security risk assessment ?

What should be the result of cyber secuyrity risk assessment ?

Please contact us and we will be happy to help you at all levels of cyber security mastery.

Challenges of Auditing complex information systems, compliance requirements and the pressure from regulators resulted in a trend and the need for ongoing, regular and integrated auditing of organizations. Information technology is present in every organisation and for many it is the core pilar of current business models and is seen as enabler of sustainable business strategies and transformations.

Number of transactions and the influence of late detection of challenges in the domains of management, risks or compliance, demand the use of modern integrated approach in auditing information systems.

• What it the best approach and solutions for integrated GRC management (Governance, Risk, Compliance) in SAP environments?
• How to best understand and implement controls monitoring and auditing?
• How execute and improve continuous audit?

We will be happy to help.

Business, Governments and individuals – we are all reminded daily of our dependence on information.

We must protect the value of some information because we classified it as Confidential and we allow only trusted parties to access it. In this case we focus on Confidentiality.

We must protect some information from unwanted or undetected change to ensure its Integrity because corrupt or changed information could result in risk or loss in business terms or even loss of life in health care environments.

We want to ensure information is available to us when we need it. In this case we focus on Availability. Organizations have Business Continuity and Disaster Recovery Plans in place and they have prepared them by doing Business Impact Assessment (BIA) where they assess their business needs via Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

As noted above CIA – Confidentiality, Integrity and Availability are important attributes of information that we are typically using to address information security needs.

All of the above is more or less clear to information security professionals and even general public, however, there are still significant differences in maturity of organizations when implementing Information Security Governance and Enterprise Risk Management.

These are some of our recent observations from working on Information Security or Risk Management consulting and Audit engagements:

How can we protect or secure something if we don’t even know what Information Assets we have, where they are and how important they are for the organization.

• Vulnerability management is slow and not efficient.
• Still there are unsupported and obsolete systems in use which are known to pose a risk because they have known vulnerabilities.
• Organizations are engaging managed security services providers, however, they are not always able to control their quality and performance.
• System Admins have many tools and control mechanisms at their disposal, however, they do not have the time or knowledge to implement them.
• There is high pressure from information security software and systems vendors on organizations as well as rapidly changing value propositions, licensing options and business models. Without robust IT Strategy and regular IT Architecture Scenario analysis it is very likely that vendors will have an upper hand.
• Only some organizations are executing all Cyber Security Scenarios beyond tabletop walkthrough exercises.
• Exit strategies are addressed formally (in regulated environments only) before entering into agreement as part of the risk assessment process, however, exit strategies are mostly forgotten and not tested during the course of cooperation.

This was just a sample we wanted to share but the list goes on and on.

So where do we go from here?

Every organization is unique, however, there are common Enterprise Risk and Information Security denominators related to Governance and Management. We didn’t comment on Enterprise Risk Management above, however, it is linked to Information Security.

We will be happy to help you diagnose and improve the maturity of your Enterprise Risk and Information Security efforts or work with you on continuously raising the bar on the never ending journey to resilient, sustainable and agile organisation.

“Digital transformation” was for the last few years or still is the buzz word “for profit” organization could not neglect. New job titles and positions were created and there was a slight shift of “internal power” in favour of the initiatives and programs that were delivering platforms that could enable digital transformation.

Only the best organizations are making an extra effort to evaluate the quality of these initiatives.

Why would this step be important?

As with any hype the speed of change and the varieties of business models in different organisations mean that one size does not fit all.

Are you squeezing the maximum value of your data?

What are additional opportunities and risks?

Is your governance model fit for your digitally transformed organisation?

How well will your change management program roadmap take advantage of Artificial Intelligence?

GDPR is here however the journey has just started.

Many organisations are still struggling in their efforts to comply with the GDPR requirements.

Our advice to organisations is to keep the GDPR initiative or project running at least for the next 6 months with the focus on:

• automate the processes related to GDPR
• plan and execute self assessments and optimise processes
• execute ad-hoc deep reviews on the technical level to confirm proper recording, existence and relevance of the audit logs
• monitor the use guidelines, use cases and explanations from the regulator
• simplify where possible,
• modify and add where needed.

Privacy is one of the domains of information management that is causing a lot of headackes to any entity that is collecting, using or processing personal information. Recent events related to data breach at giants like Yahoo are demonstrating that even organizations with vast amount of resources have challenges remaining compliant.

EU is moving forward in implementation of EU requirement related to privacy that can expose an organization to penalty of up to 20M EUR or 4% of annual turnover.

The General Data Protection Regulation (GDPR)(Regulation (EU) 2016/679) 

Even simple actions like storing your client data on your phone can present a significant risk from compliance perspective if not managed propplerly.

How good are your privacy practices? We can help you via a diagnostic review that will discover the gaps. We can help you with the design and execution of the privacy compliance remediation. Please contact us.

Chief Information Officer is valuable commodity. Just recently we have received a few requests to help identify or “Head hunt” a suitable candidate.

After discussing with the clients we have learned that motives in these organisations were different.

One organisation and its CEO has a firm belief that their ERP system needs to be replaced and that the organization needs a new CIO to make that happen.

The other wants to have CIO that not only runs after the latest and greatest in IT but has also the sence for ROI, costs, strategy and internal controls in IT.

It seems like the CEOs of these organisations have realised that the future potential for value creation sits in the intangible resources of these organisations – key people and information technology.

The question remains what have their existing CIOs done wrong or what they did not do? How could a CIO ensure he/she is doing the right thing? How could a CIO be a true value creator for an organisation?

We are addressing challenge via our diagnostic reviews of your IT functions. We will be happy to assist. Please contact us.

Absolute compliance can have significant impact on business. Compliance with laws and external regulations is perhaps more important than internal compliance in domains with less impact on business performance.

Example: If you choose to park your car on your bosses parking space might be a challenge for you personally however in most cases such an act would have minimum impact on business performance of an organization observed. In this case you have made a decision to break the rule. Was the benefit of having a few minutes extra since your bosses parking lot is way closer to your desk than yours, bigger than risk your action exposed you to, remains unknown in this scenario. We don’t know your boss, we don’t know compliance tolerance levels and we don’t know the culture of your organization.

To be on a safe side perhaps taking a bus would be the right approach or getting there earlier.

Compliance with laws and regulations is a must. Some organisations are worried about their compliance because they are using business models or resources that are perhaps not regulated yet. 

Managing compliance risks may be complex especially in regulated industries such as financial, insurance and pharma. 

Diagnostic review of your compliance maturity level might help your organisation in identifying opportunities for achieving an optimal compliance level for your organisation.  Please get in touch!

While innovation is vital for sustainability, risk management will prevent surprises and help your organization to operate within acceptable risk apetite. It is very important to establish common understanding of what your risk appetite is between all key stakeholders. Organizations success can be distorted if it is not put in the context of the risk exposure.