Most Popular Posts

Subscribe by Email

Your email:

Browse by Tag

About the Risk Intelligence Blog

The Evantix Blog offers insight, tips and intelligence from leading risk authorities in enterprise vendor risk management and compliance.

Managing Vendor Risk, Performance and Compliance just got a whole lot easier || Evantix Risk & Compliance Portal ™  delivers a low cost high value solution to managing Vendor Exposure, Performance, Regulatory Compliance, Privacy and Information Risk across your entire portfolio of vendors and suppliers.

Risk Intelligence Blog

Current Articles | RSS Feed RSS Feed

6 Criteria for Choosing Risk Management Software

Posted by Rene Barraza on Fri, Aug 06, 2010 @ 06:20 PM
  
  
Add to delicious  delicious  
  

risk management softwareHow many risk assessments will you or your team complete this year?  For many larger organizations, the sheer number of risk assessments has grown continuously over the past several years.  Several factors drive this trend:

  • More external regulations and compliance frameworks (PCI, FISMA, ISO 27002, etc.)
  • More frequent reviews by stakeholders (SOX auditors, Information suppliers, etc.)
  • More in-depth reviews in all cases
  • Other factors 

What could make this trend abate?  Don’t hold your breath.  While large organizations are bearing a significant burden, small organizations are faced with an even more daunting challenge around risk assessments: though there may be fewer assessments to complete, a much greater share of resources available must be deployed to complete them.  Often, small organizations must hire someone to assist them in completing risk assessments because the generalist skills needed to grasp the scope of a typical risk assessment are simply not available in a small organization’s staff.

Given we know that risk assessments are not going away and there are likely to be more of them in the future, our effort spent to manage the cost of coping with them becomes a high payoff activity.  One of the very best ways to get the time and drudgery of multiple risk assessments under control—not to mention actually improve the quality and usefulness of the results -- is to acquire risk management software and use it as a central tool across multiple risk assessment needs.

6 Criteria for Choosing Risk Management Software

Word processing tools make filling out next year’s questionnaire easy.  But this does not address the hardest parts of the job.  Risk management software tools (or services, depending on which form you choose) should enable better management of the fundamentals your team works with every day: deployment of controls and risk mitigation.  You should expect several critical functions to be present, including:

  1. Most importantly, use of the tool should save significant time over multiple risk assessments over multiple cycles.  It should require half the time at most in the second year to complete the same assessments with more completeness and precision – a savings of 90% or more by the 4th cycle may be possible. 
  2. The risk management tool should enable multiple views against the same installation.  If you complete a PCI audit, a SOX audit and a HIPAA review, all of them look at many of the same control factors.  Your tool should make answering “ditto” easy. 
  3. You should be able to use the tool to answer the question: what single improvement will bring about the biggest increase in overall protection? 
  4. The inventory of your IT infrastructure should be represented within the tool in a recognizable form.  So if the new subsidiary in Boise has some control issues to solve, its results should still be combinable within the overall without sacrificing the ability to track it directly. 
  5. The tool should act as a repository for support and test documentation organized against your control answers so that if you win the lotto, the poor schmuck who inherits the task will have something to start with and build on. 
  6. The tool should be easily updated for new versions (PCI 3.0 anyone?) or newly enacted regulations (e.g., Massachusetts, and Nevada) on a snap-in basis.  Snap the new version in and presto, your already-in-place answers are viewed against the new law.

Ask yourself if you are getting even two of these benefits with your current approach.  Now think about your suppliers.  You know, the ones you’ve been sending those very same questionnaires?  Do you think you might get better terms from them if you could significantly reduce their compliance management burden?  Now pass it forward.

Photo credit:adesigna

About the Author: James M. Anderson is President of Professional Assurance, LLC, an advanced enterprise security consultancy.  Over his 30-year career, he has served as Vice President, Global Information Security Services for Visa, head of the information security unit of Morgan Stanley and as Director of Security and Information Services at Lexis-Nexis, Inc.  He holds the CISSP, CISM and CGEIT certifications.  You can follow his writing on the Evantix blog or connect with him on LinkedIn.

Learn How To Identify and Minimize Supplier Risk

supplier risk white paper cta Download Third Party Risk Management: Critical Steps to Safeguard Your Business Relationships .  In this educational white paper, you’ll learn how new risk intelligence systems are helping companies mitigate the risk of their distribution channels.

 


Tags: , , , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics