Measuring Information Risk for a $2 Million Non-Profit Local Agency
The non-profit agency had twenty five people functioning at two operating locations. They hire an outside technology service supplier to manage their network routers, servers, email, accounting code, and then forth. And, they used 3 cloud-based applications.
Here’s however we have a tendency to measured info risk:
Policy making controls were centralized with the agency government management team designating cybersecurity roles & responsibilities among employees, for instance. So, we solely had one score to collect for every of these controls.
The management of identities was a shared responsibility between the agency employees, the IT service supplier, and also the 3 software-as-a-service suppliers. The management team determined once to make user accounts and once to shut them off. The surface service suppliers enforced their selections. So, we scored these controls doubly.
Data backups were performed by the IT service supplier and also the three software-as-a-service suppliers for their areas of responsibility. So, we scored these controls four times.
Overall, as a result of its little size, the complete organization was in scope. And, we made one record book.
Measuring Information Risk for a $1 Billion For-Profit Global Enterprise
It had 3,000 people and over 150 operative locations round the world.
A single internal IT group managed their network routers, email servers, and connected infrastructure. Except for this small range of centralized IT services, every of the 150 offices was liable for their own technology. The corporate additionally used several cloud-based infrastructure suppliers and applications.
Here’s however we measured info risk:
First, as a result of the central IT organization was comparatively small, we treated them as another separate workplace.
Next, we found that most of the dogmas controls were delegated to the native workplace management designating cybersecurity roles & responsibilities among employees, as an example. So, for this management set, we had one score to gather from every workplace.
A minority of the controls, like management of identities was a shared responsibility between the native staff, the centralized IT employees, and therefore the cloud service suppliers. Why? as a result of the native management groups determined once to form user accounts and once to shut them off. The central IT team and outside service suppliers enforced their selections.
But directly measuring the surface service suppliers was too advanced and long to undertake as a part of this risk management effort, therefore we collected scores solely from the within experts at every workplace.
Since the bulk of the controls were managed entirely by the native offices, we created a card for every workplace, over 150 altogether.