Enterprise Risk and Security Management

ERSM

Our approach in building strong organization is to sustain them by managing all risks that comes with their growth. Thus enterprise architecture-based risk assessments, security modelling and analysis is key to organizational alignment.

Integrating risk and security aspects in the overall enterprise architecture becomes possible to analyze the impact of changes in the values throughout the organization as well as the effects of potential control measures to mitigate the risks e.g. cyber-security threats. We help to identify, protect, detect, respond and recover as you focus on your core business.

We build cyber resilient businesses combining cyber security, business continuity and enterprise resilience. We further assist enterprises in crafting their EA vision, review and management using proven architectural frameworks for effective alignment: business, governance, applications, technology, security and data architectures.

Training

In ensuring sustainability of tools and their effectiveness to the organizations, we value people as main enhancers and custodians of their efficiencies in their administration and management. Training is critical for mitigating against common threats hence equipping users to be aware and in control of access and management of devices and information safeguards organizations against potential losses and business disruptions. Continuous update on changing laws, best practices as business evolves and awareness in cyber security, governance and compliance.

Awareness Programmes

EA Risk Assessment

There will always be risk with any architecture/business transformation effort. It is important to identify, classify, and mitigate these risks before starting so that they can be tracked throughout the transformation effort.

Mitigation is an ongoing effort and often the risk triggers may be outside the scope of the transformation planners (e.g., merger, acquisition) so planners must monitor the transformation context constantly.

It is also important to note that the Enterprise Architect may identify the risks and mitigate certain ones, but it is within the governance framework that risks have to be first accepted and then managed.

There are two levels of risk that should be considered, namely:

Initial Level of Risk: risk categorization prior to determining and implementing mitigating actions

Residual Level of Risk: risk categorization after implementation of mitigating actions (if any)

The process for risk management is described in the following sections and consists of the following activities:

Risk classification

Risk identification

Initial risk assessment

Risk mitigation and residual risk assessment

Risk monitoring

Cyber Security Threats Awareness

Cyber security awareness refers to how much end users know about the cyber security threats their networks face and the risks they introduce. End users are considered the weakest link and the primary vulnerability within a network

The benefits of cybersecurity awareness programs are the subject of broad discussion, particularly when it comes to phishing simulations. Nowadays, companies not only invest in IT security solutions, but also in the training of their employees with the goal of making them more conscious of security issues.

The Approach:

Start with Leadership (CEO; MD level)
Know Your Organisational Tolerances
Defend Your Information Assets
Focus on High-Risk Groups
Make It Engaging with Effective Storytelling
Get Your Policy Management Up To Date
Start Preparing for a Data Breach Now
Enlist Cyber Security Champions
Consider Your Supply Chain
Implement Proper Oversight  and Regular Reviews

POPIA Awareness

You are responsible for ensuring that your staff receive awareness training about the South African privacy legislation, POPIA (Protection of Personal Information Act) . Understanding the POPI Act is a critical step in your compliance programme. The Protection of Personal Information Act (POPIA) in South Africa came into effect on 1 July 2020. If you have waited with your compliance project, you need to act fast as you will have just less than 4 months “of a grace implementation period” to get ready for compliance.

We help you look into the following three steps:

1. Start with a Business Privacy Impact Assessment

Condition 7 of the Act (“Security Safeguards”), requires organisations to take “appropriate and reasonable measures” to safeguard personal information. The concept of acting “reasonably” is used in many privacy laws all over the world and requires a business to do what is appropriate to protect its data. Note that this does not require perfection. Rather, the business must take a risk-based approach and do what is reasonable to mitigate that risk. 

By conducting a business privacy impact and risk assessment, you’ll identify privacy risks in your organisation and come up with a plan to either remediate or accept them.

2. Prioritize your high risk processes

High-risk processes should always come first. Start with client/customer personal data and work your way towards employee personal data. This will involve collaboration with many departments, so executive buy-in is a must; and privacy compliance should be pitched as business enablement.

3. Drive a Privacy & POPIA Awareness Campaign

Employees need to be made aware of and get trained in the security requirements of the organisation as well as learn about the basic POPIA privacy principles and how to apply these at work. Security awareness training for employees is one of the most effective means for reducing the potential for costly errors in handling sensitive information and protecting company information systems.

The new requirements around POPIA and other regulations can seem tedious, but there are plenty of resources to assist with training around POPIA, GDPR and other privacy and cybersecurity content.