I recently had a conversation with clients around a risk analysis they conducted and noticed as they walked me through it that they seemed to get hung up on the terms “inherent risk” and “residual risk” and the inherent risk definition for that particular scenario.
Despite the increased focus and attention on data privacy triggered by GDPR that went into effect in May 2018, studies have shown that organizations still have some strides to make in order to be fully in compliance with the mandate. In fact, a recent survey by Varonis reported that many organizations continue to accumulate data that no longer needs to be retained, despite GDPR’s right-to-be forgotten clause.
I’ve heard critics of quantitative risk analysis challenge the approach, stating that it is “too difficult”, “time consuming” or that their organization is “simply not mature enough for quantification.” In my experience, a majority of such arguments can be addressed by revisiting a few fundamental FAIR concepts.
In a previous blog post, I wrote about how the FAIR quantitative risk model can be used to meet various regulatory and compliance requirements (specifically those that indicate the need for a formal risk assessment).
I recently attended the SIRACon conference in Seattle where I had the privilege to hear leaders from prestigious companies speak about their experience using quantitative analysis of cyber risks. One of the presentations that stood out related to sources of error and bias in survey results.
For Better Risk Assessments in SSAE 18 Audits, Try Quantification with FAIR
One of my final initiatives prior to leaving public accounting and entering my new role in risk management was helping organizations prepare for the changes introduced by AICPA in the SSAE 18 audit standard, which went into effect in May 2017.
As the final months approach before the EU's General Data Protection Regulation (GDPR) goes into effect in May, 2018, organizations are making significant investments to ensure they are prepared for the changes to come, particularly the strict rules on handling consumers’ personally identifiable information (PII).