As part of the enablor platform, I-Trust also offers risk assessment with the Risk Management tool. An option that can be purchased, regardless of whether you have chosen to use the pro version of enablor or remain with the basic version. That way, it is possible to have everything collected at the same location and with the same provider. Risk Management is a tool used by management to assess the risks associated with implementing the organization’s work processes. A tool that allows you to get an overview of outside and in-house factors that could affect the business. This may include the way in which personal data is processed. The tool helps to ensure a clearer overview of the risk through:
First, the different processes are identified, after which consistency and vulnerability are assessed and based on the risk.
enablor’s Risk Management tool records and assesses business processes and their importance to the organization. To ensure that business processes are described and assessed correctly, enablor supports a division of organization’s processes into 3 levels;
- process area (overall area)
- business process (typically with associated processors)
- treatment process (the concrete action performed)
This structure is based on the risk assessment model, originally developed by and introduced by the Danish Ministry of Finance.
The tool maps the most important business processes. It is possible to describe the critical relationships with other processes and IT resources and assess their importance. You also get an overview of inherited risks in coherent processes.
Division in levels ensures that changes in the organization (new / updated processes, new systems, etc.) can be effectively recorded and inserted into the existing structure. For each treatment process, reliance on other processes, the underlying IT resources and physical conditions, such as buildings and spaces, are mentioned.
Risk assessment: Data flow and resource registration
Data flow and resource registration is a new requirement as an effect of the EU Genereal Data Protection Regulation (EU GDPR). If the organization wishes to be compliant with ISO27001, the first step is to register and maintain data flow as well as make a resource registration of the systems and assets involved in data processing.
This will help with an overview of the organisation and help organize a management system for information security. Data flow and resource registration is an overview of all the possible places any document can be found. Therefore it will provide an image of potential violations of personal data security. You will be documenting the location and qualification of data in an organization’s mapping.
Impact assessment incl. DPIA
The Impact Assessment provides the basis for impact assessments for processes as well as for data and resources at events for both the registered and the business. This provides the basis for the organization to form and maintain a Data Privacy Impact Assessment (DPIA) and a Business Impact Assessment, dynamically updated as processes and systems change.
Impacts on the business, Business Impact Assessment (BIA), and the Data Privacy Impact Assessment (DPIA), is assessed for treatment processes and impact assessment. They are inherited in both other business processes and the supporting IT assets. In connection with the review of treatment processes, the papers and files are treated with focus on those containing personal data and the sensitivity to the character of the data is identified.