From the results obtained through the Risk Assessment module, it will be possible to determine, through the library of controls already available in the Risk Management module, which security measures are suitable to contain the previously calculated Inherent Risk.
In this way it will be possible to carry out a Gap Analysis activity with respect to the identified security measures and determine the Residual Risk that is incumbent on the Entities.
The levels of Residual Risk and the security measures not yet implemented may be the subject of a Security Roadmap that will form the basis for the definition of a programmatic strategy for the security of processes or data processing in order to achieve the security objectives set by management.
Controls
Risk In Deep is supplied with a library of over 500 security controls (which can be customised), in Italian, updated with respect to ISO 27001, NIST53a standards, GDPR regulations and the minimum-security measures of the old Legislative Decree 196/03. All this is already associated with a set of predefined threats characterised by a level of coverage with respect to Confidentiality, Integrity and Availability.
Security controls are subdivided by functional classes and may be associated with specific types of Entity. For example, procedural/organisational controls (such as policies, procedures, instructions, etc.) can only be associated with Personnel type Entity types.
Similarly, physical security measures (fire extinguishers, air conditioning, locks, etc.) can be associated with Entity types such as premises, cabinets, headquarters, etc. In this way it is possible to have greater accountability on the different entities that cooperate around data processing.
Gap Analysis
Through this module it will be possible to collect the implementation status of the security measures that Risk In Deep will have selected starting from the Inherent Risk calculated on each Entity.
The check lists will contain only the security measures consistent with the nature of the type of entity. For example, the technological measures will be associated only to system, network, cloud type Entities etc. While physical measures will be associated only to premises, CED, archives. Organisational measures will only be associated with Entity types such as Organisational Units, Legal Entities, etc.
The methodology makes it possible to assess the risk of the various corporate entities that cooperate in a business process and allows the management and monitoring over time of the security measures needed to contain this risk. This result is obtained by exploiting the power of representation offered by the methods of link analysis. In brief, the elements are combined and contribute to the calculation of the Inherent Risk for each entity involved in the processing of personal data or more generally in the business process.
The Residual Risk
Following the completion of the GAP Analysis, the Residual Risk can be calculated, defined as the percentage of non-implementation or partial implementation of the security measures identified to contain the Inherent Risk.
Entity Protection Profile Report
For each Entity it will be possible to generate a report that summarises all the elements characterising both the Risk Assessment and the Risk Management phases.
