An Enterprise Risk plan should start with a Baseline understanding of the following:
- An understanding of the Business environment. Business size, scope of industry verticals, risk factors, risk tolerances etc.
- An understanding of the types of Data involved to run and manage the Enterprise.
- Full understanding of Industry Mandated requirements. HIPAA, FISMA, FEDRamp, CMMC, GDPR etc.
- Understanding of People, Process and Technology of IT/IS, Finance, Legal etc.
- GRC should be structured as a Program with supporting Projects to deliver a Programmatic approach to reducing risk. GRC is a journey with many moving parts.
- Start with a baseline Risk Assessment (People and Process’), Vulnerability Assessment, PenTest and Wireless Network Assessment (Technology).
- Consider a Compromise Assessment to see if you have been breached and do not know it.
- Gather these findings and prioritize a remediation plan to reduce Enterprise risk as it relates to budgeted funding.
- Cost out the cumulative OpEx and CapEx funds required to execute the various Projects that: A. Are Mandated by your industry. B. Should be done but are not necessarily mandated. C. The right thing to do.
- Build out your prioritized Remediation Plan as it relates to available resources (Budget, People, Process and Technology.)
- Perform Remediation per #10.
- Rinse, Repeat. Execute in a Programmatic manor. Review on a quarterly basis.
- Build the above findings into the Budget request plan. Allocated funds should represent the risk tolerance of the Board, Executive Team and Stake holders..
- Reach out for help. It takes a community!!
Reach us with questions: Peter@GaileySolutions.com 214-336-1286 http://www.gaileysolutions.com