Your IT risk assessments are some of the most time consuming from your entire Enterprise Risk Management program. You probably have dozens, or hundreds of technologies that your organization uses, and you need to find a way to view your technology risk holistically, but through a thorough understanding of each one individually. Here are 6 things you can do in tandem with our new IT Risk software to make your risk assessment process efficient and effective.
Set Up Inventories
The best way to start the entire process is to set up accurate inventories of technologies and hardware devices you use at your bank. Here, it’s important that you focus on the critical or high-risk systems. You and your team do not have to risk assess insignificant or very low risk items, as long as they do not store, process, or transmit sensitive data.
Assign the Correct Owners and Reviewers
After you set up technology and hardware inventories, you then need to figure out who is going to assess it. You’ll want to think through who uses the technologies most often, as it will be most effective to have someone who has a clear understanding of what it does, what data it handles, and what controls are currently in place. If a person doesn’t know much about how the technology is used within your organization, they will have a very hard time assessing it. That means added time, money, and probably resources as they ask others to assist them.
Set up Controls Ahead of Assessments
The single most helpful thing you can do for your team before they begin working on the risk assessments they own is to define all the controls you have in place at your organization. Our software provides a default listing of NIST controls, but any software you use should also allow you to add in custom controls.
Don’t know what controls you have? Your internal IT department can help you determine what you have in place. After you’ve determined what controls are relevant to your organization, you can determine what are “entity level controls” (controls that are applicable to the entire organization, not just a specific technology) and what are “common controls” (these are controls that apply specifically to technologies or hardware). These will flow to the appropriate technology assessments so your team doesn’t have to fill them in – they will already populate!
Copy Similar Technologies
Have two similar technologies or pieces of hardware? Copy a completed risk assessment from one to the other. This may seem like a pretty simple tip, but if you have several similar technologies you can find yourself saving lots of time.
Planning out your assessments in a timetable is a helpful step in making sure you are able to complete the project in a reasonable time frame. As Randy mentioned in a previous article, timeline should be the first dial set on a project, and that can help you better understand what resources and scope you need to complete your assessments before that deadline.
Use Your Resources
We wanted to be sure our clients got all the help they need as they utilize our IT module. That’s why we set up resources like monthly training webinars or on-demand recordings of past training webinars. Stuck on a particular part? We created videos that focused on specific functions within our software so people could get exactly the information they need. There are also user guides available with step-by-step instructions and screenshots to guide you through the process. With all of this content available, you and your team should have everything you need at your fingertips. Always utilize the resources available so you can save time and move forward with confidence.
Interested in learning more about our IT Risk Management software, or how this new functionality works? Schedule a few minutes to speak with one of our risk management experts and we can find a time to show you around the software and learn more about your organization’s specific needs.