CTRL Groups Risk Assessment is a data-centric risk methodology that examines the critical data groups within your organization from the ground up. Through workshops with the data owners within the organization it assesses the impact of a loss of confidentiality, integrity, accountability and availability on the business from multiple perspectives including financial, reputational, legal, the company mission and others. From there methods of storage and access are catalogued and mapped to the data categories. Each of these then have their security controls assessed against industry best practice, taking into account both internal and external access paths. This is conducted both through a security evaluation platform and in workshops with data owners, the risk authority and control authority.
The resulting exposures are heat mapped across all data categories and environments clearly revealing risks in confidentiality, integrity, accountability and availability.
Wherever a gap in security controls presents itself, our team provides a list of recommended actions to eliminate or reduce the risk.
Why Is This Important
- Provides important evidence that in the event of a breach your organization has done its due diligence and made every effort to harden your security posture.
- Puts management on the same page as to what data is business critical and draws a line on acceptable risk when it comes to handling data.
Data Risk assessment time scales with the number of data envionments in an organisation - general rule is that its around 3 weeks for 20 environments, examples of environments include: Network shares, local laptops, cloud storage, physical storage, web portals and other 3rd party applications, physical storage onsite or offsite. Each environment needs its security controls assessed and mapped which can be delayed from lack of understanding or communication issues.
A rough estimation of the number of environments storing or accessing sensitive data.
30 - 45 Minutes with each of the data owners in the organisation (team leaders) to understand how they interact with sensitive data. 90 minutes with the head of risk or whoever is best placed to rate the sensitvity of that data. 60 - 90 minutes with the security authority who can explain the current security processes in place for each data environment
Information you provide us is stored in the risk and compliance directory of CTRL Groups Sharepoint, only risk team members assigned to your project are able to view and access that information. All information sharing internally is conducted though sharepoint links and access is monitored and reviewed by the team leader daily.
The report is delivered though a passworded sharepoint link, which expires after 7 days. CTRL Group then walks though the found risks with the client, and provides any further clarifications regarding remediation or risks. The clients documentation is then securely stored in a passworded zip file, and deleted 6 weeks after handover.