Our approach in building strong organization is to sustain them by managing all risks that comes with their growth. Thus enterprise architecture-based risk assessments, security modelling and analysis is key to organizational alignment.
Integrating risk and security aspects in the overall enterprise architecture becomes possible to analyze the impact of changes in the values throughout the organization as well as the effects of potential control measures to mitigate the risks e.g. cyber-security threats. We help to identify, protect, detect, respond and recover as you focus on your core business.
EA Risk Assessment
There will always be risk with any architecture/business transformation effort. It is important to identify, classify, and mitigate these risks before starting so that they can be tracked throughout the transformation effort.
Mitigation is an ongoing effort and often the risk triggers may be outside the scope of the transformation planners (e.g., merger, acquisition) so planners must monitor the transformation context constantly.
It is also important to note that the Enterprise Architect may identify the risks and mitigate certain ones, but it is within the governance framework that risks have to be first accepted and then managed.
There are two levels of risk that should be considered, namely:
Initial Level of Risk: risk categorization prior to determining and implementing mitigating actions
Residual Level of Risk: risk categorization after implementation of mitigating actions (if any)
The process for risk management is described in the following sections and consists of the following activities:
Initial risk assessment
Risk mitigation and residual risk assessment
Cyber Security Threats Awareness
Cyber security awareness refers to how much end users know about the cyber security threats their networks face and the risks they introduce. End users are considered the weakest link and the primary vulnerability within a network
The benefits of cybersecurity awareness programs are the subject of broad discussion, particularly when it comes to phishing simulations. Nowadays, companies not only invest in IT security solutions, but also in the training of their employees with the goal of making them more conscious of security issues.
Start with Leadership (CEO; MD level)
Know Your Organisational Tolerances
Defend Your Information Assets
Focus on High-Risk Groups
Make It Engaging with Effective Storytelling
Get Your Policy Management Up To Date
Start Preparing for a Data Breach Now
Enlist Cyber Security Champions
Consider Your Supply Chain
Implement Proper Oversight and Regular Reviews
You are responsible for ensuring that your staff receive awareness training about the South African privacy legislation, POPIA (Protection of Personal Information Act) . Understanding the POPI Act is a critical step in your compliance programme. The Protection of Personal Information Act (POPIA) in South Africa came into effect on 1 July 2020. If you have waited with your compliance project, you need to act fast as you will have just less than 4 months “of a grace implementation period” to get ready for compliance.
We help you look into the following three steps:
1. Start with a Business Privacy Impact Assessment
Condition 7 of the Act (“Security Safeguards”), requires organisations to take “appropriate and reasonable measures” to safeguard personal information. The concept of acting “reasonably” is used in many privacy laws all over the world and requires a business to do what is appropriate to protect its data. Note that this does not require perfection. Rather, the business must take a risk-based approach and do what is reasonable to mitigate that risk.
By conducting a business privacy impact and risk assessment, you’ll identify privacy risks in your organisation and come up with a plan to either remediate or accept them.
2. Prioritize your high risk processes
High-risk processes should always come first. Start with client/customer personal data and work your way towards employee personal data. This will involve collaboration with many departments, so executive buy-in is a must; and privacy compliance should be pitched as business enablement.
3. Drive a Privacy & POPIA Awareness Campaign
Employees need to be made aware of and get trained in the security requirements of the organisation as well as learn about the basic POPIA privacy principles and how to apply these at work. Security awareness training for employees is one of the most effective means for reducing the potential for costly errors in handling sensitive information and protecting company information systems.
The new requirements around POPIA and other regulations can seem tedious, but there are plenty of resources to assist with training around POPIA, GDPR and other privacy and cybersecurity content.