Hi infosec/GRC members of the community,
Can you please share with our community members your recommendations on how an enterprise risk management plan should look like in 2022? How is it different from previous years?
What major factors should be taken into account?
Thanks
An Enterprise Risk plan should start with a Baseline understanding of the following:
1. An understanding of the Business environment. Business size, scope of industry verticals, risk tolerances etc.
2. An understanding of the types of Data involved to run and manage the Enterprise.
3. Full understanding of Industry Mandated requirements. HIPAA, FISMA, FEDRamp, CMMC, GDPR etc.
4. Understanding of People, Process Technology of IT/IS, Finance, Legal etc.
5. GRC should be structured as a Program with supporting Projects to deliver a Programmatic approach to reducing risk. GRC is a journey with many moving parts.
6. Start with a baseline Risk Assessment (People and Process’), Vulnerability Assessment, PenTest and Wireless Network Assessment (Technology).
7. Consider a Compromise Assessment to see if you have been breached and do not know it.
8. Gather these findings and prioritize a remediation plan to reduce Enterprise risk as it relates to budgeted funding.
9. Cost out the cumulative OpEx and CapEx funds required to execute the various Projects that:
A. Are Mandated by your industry.
B. Should be done but are not necessarily mandated.
C. The right thing to do.
10. Build out your prioritized Remediation Plan as it relates to available resources (Budget, People, Process and Technology.)
11. Perform Remediation per #10.
12. Rinse, Repeat. Execute in a Programmatic manor. Review on a quarterly basis.
13. Build the above findings into the Budget request plan. Allocated funds should represent the risk tolerance of the Executive Team.
Reach out for help.
Peter@Gaileysolutions.com