As technologies become obsolete, the tools used no longer meet the needs of the company. That’s why Edison needed a Risk Assessment tool. A Digital transformation plan was necessary to make the cyber risk assessment methodology used more consistent with business needs and to address issues generated by the current tool that created an inadequate process.
Edison needed to gain a better understanding of risk levels with the development of a risk assessment and controls process for each specific scope application.
Finally, the main objective was to reduce the impact of risks with the implementation of a new risk assessment calculation model in HOPEX which takes into account the assessment of the level of control of applications and automatically values the attributes needed to produce the gross and net risk calculation.
Edison chose MEGA because the company has a long history of using MEGA’s solutions, specifically HOPEX Enterprise Architecture tool. One of the main benefits offered by HOPEX is that it links all the solutions into a single repository. Edison then had an existing platform with all the necessary data that could be shared directly in the cloud. Another major benefit is MEGA’s ability to offer a personalized and flexible data model that can be customized according to their needs.
In fact, Edison needed a modern tool to manage Cybersecurity risks. To achieve this, MEGA implemented specific solutions and attributes to meet the requirements of the company. The project was carried out starting from the implementation of a control assessment evaluation model that was contextualized for each application to ensure that each of them complied with the agreed rules and regulations. All rules and regulations were established by the customer to create an ad hoc and personalized solution.
First, custom attributes were implemented. These are characteristics that can be fulfilled and defined directly by the customer, which calculate and average control levels, impact, probability, gross and net risk.
Once controls are defined, they must be performed on the risks for the risk assessment for each application. In this case, the controls are carried out through questions asked to the designated users.
However, to implement a simpler and faster process for the user, new attributes have been created to calculate the average control levels of the checks associated with each application. In other words, each application could have more than one control and this averaging is able to give the user the average of the values that are logged on the controls.
To avoid manually connecting risks to applications and controls to applications, a matrix was used. It was managed by a standard import template to easily connect and disconnect objects. A new workflow - operative steps – has been implemented in order to perform the applications control level and application risk assessments.
The application repository is shared and managed by the IT managers, who use the IT Portfolio Management and the IT Architecture Solutions that feed the official list of the applications in HOPEX. On this inventory, the Security service periodically carries out an assessment.
MEGA has also developed custom application folders and custom application trees to have an overview of applications to be assessed and provide the user with a clear view of the situation.
The personalized solution created for Edison was based on an outcome–driven approach. This enabled a synergy between departments with a clear division and distribution of tasks between the IT architecture department and the cyber risk department, accelerating the delivery of the project and the achievement of the objectives.
Of course, improvement is constant. So, here are the next steps in Edison’s project:
To find out more, watch the video of Edison's testimonial