An Ad Hoc Risk Assessment tool to mitigate the impact of risks
As technologies become obsolete, the tools used no longer meet the needs of the company. That’s why Edison needed a Risk Assessment tool. A Digital transformation plan was necessary to make the cyber risk assessment methodology used more consistent with business needs and to address issues generated by the current tool that created an inadequate process.
Edison needed to gain a better understanding of risk levels with the development of a risk assessment and controls process for each specific scope application.
Finally, the main objective was to reduce the impact of risks with the implementation of a new risk assessment calculation model in HOPEX which takes into account the assessment of the level of control of applications and automatically values the attributes needed to produce the gross and net risk calculation.
Ensure security with a control assessment for each application
Edison chose MEGA because the company has a long history of using MEGA’s solutions, specifically HOPEX Enterprise Architecture tool. One of the main benefits offered by HOPEX is that it links all the solutions into a single repository. Edison then had an existing platform with all the necessary data that could be shared directly in the cloud. Another major benefit is MEGA’s ability to offer a personalized and flexible data model that can be customized according to their needs.
In fact, Edison needed a modern tool to manage Cybersecurity risks. To achieve this, MEGA implemented specific solutions and attributes to meet the requirements of the company. The project was carried out starting from the implementation of a control assessment evaluation model that was contextualized for each application to ensure that each of them complied with the agreed rules and regulations. All rules and regulations were established by the customer to create an ad hoc and personalized solution.
First, custom attributes were implemented. These are characteristics that can be fulfilled and defined directly by the customer, which calculate and average control levels, impact, probability, gross and net risk.
Once controls are defined, they must be performed on the risks for the risk assessment for each application. In this case, the controls are carried out through questions asked to the designated users.
A single repository and a matrix to automatically connect risks to applications
However, to implement a simpler and faster process for the user, new attributes have been created to calculate the average control levels of the checks associated with each application. In other words, each application could have more than one control and this averaging is able to give the user the average of the values that are logged on the controls.
To avoid manually connecting risks to applications and controls to applications, a matrix was used. It was managed by a standard import template to easily connect and disconnect objects. A new workflow - operative steps – has been implemented in order to perform the applications control level and application risk assessments.
The application repository is shared and managed by the IT managers, who use the IT Portfolio Management and the IT Architecture Solutions that feed the official list of the applications in HOPEX. On this inventory, the Security service periodically carries out an assessment.
- The first step is to import the standard template to update the matrix and then start the evaluations.
- To evaluate the control level of an application, the user will assign a control level to each control - directly from the application property page - connected to the application that they are evaluating. Once the assessment is completed and validated, HOPEX will automatically calculate the average of the control level. The average control level is an attribute available in the appropriate tab of the application property page.
- At the end of the assessment, the user will be able to view and check the reporting to manage and identify any possible actions to be taken and to be corrected to mitigate critical situations or cases on specific applications.
MEGA has also developed custom application folders and custom application trees to have an overview of applications to be assessed and provide the user with a clear view of the situation.
The personalized solution created for Edison was based on an outcome–driven approach. This enabled a synergy between departments with a clear division and distribution of tasks between the IT architecture department and the cyber risk department, accelerating the delivery of the project and the achievement of the objectives.
The continuous evolution of cybersecurity methodology
Of course, improvement is constant. So, here are the next steps in Edison’s project:
- Integration of a detailed reporting
- Improvement of the Cyber Risk Assessment methodology and optimization of the new post-first use risk assessment workflow
- Use of assessment campaigns – users surveys - to extend the direct assessment in use on risks and controls
- Stronger integration with IT architecture department – Sharing of attributes and data between IT architecture and IT cyber risk in order to create synergy between the two departments.
To find out more, watch the video of Edison's testimonial