“Virtually every organization will tell you they do more controls management than risk management,” says Marta Palanques, Director of Risk Methodologies, Technology Risk Management, at Capital One, and with cybersecurity controls often numbering in the hundreds, even thousands, at large organizations, just inventorying the controls stack is a consuming, if necessary, project.
In this webinar, Marta gives an extensive list of tips on how to manage a controls inventory for maximum value and minimum stress. Watch Getting Your Money's Worth - Putting Your Controls Inventory to Work with Marta Palanques now. A FAIR Institute Contributing Membership required – learn more about membership.
Some key points from the webinar on an inventory of controls:
- How to determine the optimal size of your inventory, considering cost and complexity
- How to set a measurable goal for every control, to run a program based on value for risk reduction
- How to set your level of effort, ranging from once-a-year manual checks to continuous monitoring
- How to create a low-effort assessment of the organization’s risk-management maturity, using a controls inventory, gap analysis with one of the standard frameworks, and controls testing
- How to batch controls according to risk scenarios and simplify attribute descriptions to make a large inventory more manageable.
From the webinar
“A long list of controls is really only complicating what you do in terms of measuring risk,” Marta says. But “controls inventory is not going to disappear so you might as well use it as best you can.”
More on making sense of controls:
