Enterprise cyber security review(ECSR)
Building and operating your environment with trust where all stakeholders are confident that they can safely transact with you is your number one priority.
The security and resilience of your business and your entire eco-system is at the heart of inspiring this trust.
This is where an Enterprise Cyber Security Review (ECSR) is essential.
The four steps of an ESCR
It is essential that an organisation understands where they are in relation to securing their organisation which directly relates to inspiring trust and resilience.
Understanding where the organisation ranks with their information security and where they need to be, in conjunction with their selected industry standard security framework is the first step in discovery.
There are a few different standards and framework that an organisation is likely to align with or be required to be certified against including.
- ISO 27001
- NIST Cyber Security Framework
- PCI DSS
Risk assessment and establish a risk register
There are three stages to the risk register. These include:
1. Risk Identification
The first stage of the Risk Assessment is to identify all relevant threats and vulnerabilities which may impact the Confidentiality, Integrity and/or Availability (CIA) of information assets. Several factors need to be considered when identifying risks:
- Strategic risk
- Operational risk (including those related to the service delivery, people and technology)
- Financial risk
- Reputational risk
- Legal, regulatory and compliance
2. Risk Analysis
We assess the likelihood and potential consequences that would result if the risk(s) identified during the review were to materialise. The result of this step is determining the level of the risk.
3. Risk Treatment
Risk-treatment options will be discussed and documented with key stakeholders. These include:
- Transfer, or
Once an appropriate risk treatment option is chosen, the resultant residual risk rating will be determined and documented.
A security roadmap combines the results from the gap analysis and the risk assessment. A Roadmap provides the strategy and a visualised high-level program of action towards achieving the target state with respect to the organisation’s Cyber Security profile. It includes a prioritised approach towards reducing risks identified in current capabilities in people, process and/or technology.
The last step of an ECSR is to conduct a data governance review. Due to the implementation of the Data Breach Notification it has become imperative that organisations know what data they hold, where it is stored and who has access to it.
- Benefits of Data Governance
- Reliable data
- Data consistency
- Aligns with compliance requirements
- Assists with generating strong governance policies