Risk Management is a tool for action that assesses the risks associated with implementing the organization’s work processes. The risk assessment tool helps to ensure a more clear identification, creation and description of the risk image. This ensures a much easier maintenance of information.
Process description in Risk Management
In Risk Management in enablor, business processes and their importance to the organization are recorded and assessed. To ensure that business processes are described and assessed correctly, enablor supports a division of the organization’s processes into 3 levels;
- Process area (overall area)
- Business process (typically with associated processors)
- Treatment process (the concrete action being performed).
This structure is based on the risk assessment model, originally developed by and introduced by the Danish Ministry of Finance.
Division into levels ensures that any organizational changes (new/ updated processes, new systems, etc.) can be effectively recorded and inserted into the existing structure.
For each treatment process, the dependence on other processes, the underlying IT resources and physical conditions, such as buildings and spaces, are mentioned.
Impacts on the business, Business Impact Assessment (BIA), and the Data Privacy Impact Assessment (DPIA), assessed for treatment processes and impact assessment, are inherited in both other business processes and the supporting IT assets.
In connection with the review of treatment processes, the papers and files that are treated with focus on those containing personal data and sensitivity are identified by the character of the data.
Data flow and resource registration
Data flow and resource registration is a new requirement as a result of the EU Personal Data Regulation (EU GDPR). Impact assessments are required in the case of a systematic and comprehensive assessment of personal relationships regarding natural persons, processing a wide range of specific categories of information on personal data relating to convictions and offenses or systematic monitoring of a widely available public area.
If the organisation wishes to be ISO27001-compliant, the first step is to register and maintain data flow and do a resource registration of the systems and archives that are involved in data processing. This help to provide an overview of the organization and organizes an information security management system.
Data flow and resource registration is an overview of all the possible places a document can be found and therefore provides an image of potentially violating personal data security. You are documenting the location and qualification of data in an organization mapping.
The impact assessment provides the basis for impact assessments for processes as well as for data and resources. This assessment includes consequences for events for both registered and business. This provides the basis for the organization to form and maintain a Data Privacy Impact Assessment (DPIA) and a Business Impact Assessment (BIA), which is dynamically updated as processes and systems change.