This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Edison - How to Assess and Manage Cybersecurity Risks

ADiari
MEGA
MEGA
‎01-04-2021 09:30 AM

An Ad Hoc Risk Assessment tool to mitigate the impact of risks

As technologies become obsolete, the tools used no longer meet the needs of the company. That’s why Edison needed a Risk Assessment tool. A Digital transformation plan was necessary to make the cyber risk assessment methodology used more consistent with business needs and to address issues generated by the current tool that created an inadequate process.

Edison needed to gain a better understanding of risk levels with the development of a risk assessment and controls process for each specific scope application.

Finally, the main objective was to reduce the impact of risks with the implementation of a new risk assessment calculation model in HOPEX which takes into account the assessment of the level of control of applications and automatically values the attributes needed to produce the gross and net risk calculation.  

 

Ensure security with a control assessment for each application

Edison chose MEGA because the company has a long history of using MEGA’s solutions, specifically HOPEX Enterprise Architecture tool. One of the main benefits offered by HOPEX is that it links all the solutions into a single repository. Edison then had an existing platform with all the necessary data that could be shared directly in the cloud. Another major benefit is MEGA’s ability to offer a personalized and flexible data model that can be customized according to their needs.

In fact, Edison needed a modern tool to manage Cybersecurity risks. To achieve this, MEGA implemented specific solutions and attributes to meet the requirements of the company. The project was carried out starting from the implementation of a control assessment evaluation model that was contextualized for each application to ensure that each of them complied with the agreed rules and regulations. All rules and regulations were established by the customer to create an ad hoc and personalized solution.

First, custom attributes were implemented. These are characteristics that can be fulfilled and defined directly by the customer, which calculate and average control levels, impact, probability, gross and net risk.  

Once controls are defined, they must be performed on the risks for the risk assessment for each application. In this case, the controls are carried out through questions asked to the designated users.

 

A single repository and a matrix to automatically connect risks to applications

However, to implement a simpler and faster process for the user, new attributes have been created to calculate the average control levels of the checks associated with each application. In other words, each application could have more than one control and this averaging is able to give the user the average of the values that are logged on the controls.

To avoid manually connecting risks to applications and controls to applications, a matrix was used. It was managed by a standard import template to easily connect and disconnect objects. A new workflow - operative steps – has been implemented in order to perform the applications control level and application risk assessments.

The application repository is shared and managed by the IT managers, who use the IT Portfolio Management and the IT Architecture Solutions that feed the official list of the applications in HOPEX. On this inventory, the Security service periodically carries out an assessment.

  1. The first step is to import the standard template to update the matrix and then start the evaluations.
  2. To evaluate the control level of an application, the user will assign a control level to each control - directly from the application property page - connected to the application that they are evaluating. Once the assessment is completed and validated, HOPEX will automatically calculate the average of the control level. The average control level is an attribute available in the appropriate tab of the application property page.
  3. At the end of the assessment, the user will be able to view and check the reporting to manage and identify any possible actions to be taken and to be corrected to mitigate critical situations or cases on specific applications.

MEGA has also developed custom application folders and custom application trees to have an overview of applications to be assessed and provide the user with a clear view of the situation.

The personalized solution created for Edison was based on an outcome–driven approach. This enabled a synergy between departments with a clear division and distribution of tasks between the IT architecture department and the cyber risk department, accelerating the delivery of the project and the achievement of the objectives. 

 

The continuous evolution of cybersecurity methodology

Of course, improvement is constant. So, here are the next steps in Edison’s project:

  • Integration of a detailed reporting
  • Improvement of the Cyber Risk Assessment methodology and optimization of the new post-first use risk assessment workflow
  • Use of assessment campaigns – users surveys - to extend the direct assessment in use on risks and controls
  • Stronger integration with IT architecture department – Sharing of attributes and data between IT architecture and IT cyber risk in order to create synergy between the two departments. 

 To find out more, watch the video of Edison's testimonial  

Contributors
Popular Articles
MEGA International © 1994 - 2024. All rights reserved