1. Intranet
  2. AskIT
  3. Cyber Security
  4. Protect Your Data
  5. Steps of a Cyber Assessment

Systems up or down

 

Steps of a Cyber Assessment

Banner Protect Your Data

Step 1: Initiate

Here the primary goal is to engage with the Cyber Security GRC team to initiate the risk assessment on behalf of your business needs.

a)  The business needs to identify if this is an assessment of the third-party vendor’s posture and/or an assessment of the vendor’s technology solution

b)  To initiate the risk assessment process, the representative will fill out a Business Context Form

c)  For more accurate third-party vendor assessments, the business should obtain attested evidence of the vendor’s Information Security Management System (ISMS) from the vendor and provide it to the GRC team. This should consist of the following artefacts:

  • Providing independent audited reports, certifications and assessments (e.g. SOC 2 Type 2, ISO/IEC 27001:2022, ACSC IRAP, CSA STAR Level 2, etc.)
  • Returning a vendor completed HECVAT Lite questionnaire (download here) and any other completed cyber security questionnaires
  • Internal policies demonstrating their ISMS and risk management programs
  • Any other assessments or artefacts demonstrating evidence of a functional ISMS
  • Sometimes the vendor can provide a security portal containing all of their security documentation

 

Step 2: Conduct

At step two, the Cyber Security GRC team will conduct a risk assessment based on the goals and needs of the business. Throughout this step, the Cyber GRC team will consult with the business and additional stakeholders to help refine the risk assessment.

  • Upon reception of the business context form and if appropriate, 3rd party security artefacts, the Cyber Security GRC team will begin conducting the assessment.
  • The GRC team may contact or arrange a meeting with the business to clarify scope, data classification or other points.
  • The GRC team will prepare a document to be distributed to the business for review. This may include a summary of the vendor and/or solution, its third-party posture, identified risks with ratings and a proposed strategy for risk treatment.
  • Upon development of an initial draft, the GRC team will distribute the document to people in the business identified as stakeholders or control owners for review.
  • The business will have the opportunity to validate findings, give feedback, recommended improvements, clarify responsibilities and increase overall transparency around the risk management process.
  • The GRC team will update the risk assessment document, reflecting these consultations.

 

Step 3: Treat

At this stage we will now submit the updated draft for formal review by the business, where a risk treatment strategy will be implemented.

  • After consultation, the GRC team will submit the assessment via an Appian form for review, feedback and a decision from the risk owner of the business and appropriate Cyber Security GRC leadership.
  • Once endorsement is received, all stakeholders are emailed a copy of the finalised risk assessment documentation.
  • Identified risks will be tracked via a cyber register for risk reporting and control testing.