CS-2024 The Risk Management Hydra and why you need multiple assessments

Presented at Texas Cyber Summit 2019, Oct. 12, 2019, 1 p.m. (60 minutes)

A risk assessment is a risk assessment is a risk assessment, right? Except that that isn’t really true at all. Organizations face a wide variety of risks every day, and even the most comprehensive risk assessments still typically only address one or more specific type(s) of risk - cyber risk, privacy risk, market risk, customer risk, enterprise risk, etc. This is exactly why it’s crucial for great risk management programs to address all these different components appropriately. Two examples include the business impact analysis (BIA) that guides business continuity planning and disaster recovery (BCP/DR) plan creation efforts, and the data protection impact assessment (DPIA) required for certain types of data processing activities under Article 35 of Regulation (EU) 2016/679 (General Data Protection Regulation [GDPR]). This talk will walk the audience through the Business Impact Analysis Worksheet published by the Federal Emergency Management Agency (FEMA) and the Sample DPIA Template published by the Information Commissioner’s Office, the independent supervisory authority of the United Kingdom (which will still technically be a European Union member state at the time of this Summit). By taking this hands-on approach, the different information, thought processes, and goals of these two very different types of risk assessment will clearly demonstrate why a great risk management program must evaluate risk from a diverse set of directions. **Notes:** It can be difficult for IT departments to get the funding and executive support they need to properly address information security and compliance concerns, especially when so many interventions may sound similar. By using my previous experience as an instructor while working on my PhD in criminal justice (in progress) at Temple University with the knowledge I have about these frameworks from my current position, I can walk people through these templates in a way that is simple but still nuanced, easy to understand, and can be brought back to their leadership to justify the resources required to build out a comprehensive risk management program that is appropriately suited to their organization’s needs. I’m a compliance consultant who designs many of the in-house tools used for Red Lion’s gap assessments with a variety of frameworks (e.g., HIPAA, NIST Cybersecurity Framework, NIST SP 800-171, GDPR, CCPA, PCI DSS). My role is to act as clients’ translator between the “legalese,” audit protocols, and technical controls and plain English explanations of where their program is, where they want it to be, and how to get there.

Presenters:

  • Chelsey Donohoe - Red Lion LLC
    Chelsey Donohoe is a social scientist-turned-compliance consultant who can translate complicated texts (e.g., academic sources, legal texts and regulations, and technical controls and frameworks) into practical, understandable, and actionable results that are easily communicated to different audiences. She works diligently every day to find tailor-made solutions for clients’ information security and compliance needs across a variety of industries. The “teacher” in her always strives to provide the most accurate and comprehensive information available at every step along the way, breaking everything down into manageable bite-size pieces.

Links:

Similar Presentations: