Cyber Risk
The intention of the Security team's Cyber Risk service is to create common risk language and accountabilities for security and privacy risks and deliverables. This includes creating and enforcing security and privacy policy, standards and providing a governance framework to ensure projects and teams align with best practice where applicable. The intention of our risk model is to inform on best practice, enumerate risks, enumerate compensating controls and allow teams to choose their own adventure via risk treatment. This means teams, departments and communities will have autonomy but the Security and Privacy teams need to be stakeholders to help inform risks, threats, vulnerabilities, mitigations and best practice. In our risk model we are here to facilitate, assist, build partnerships, and inform — not to block.
Aspects of this service include:
Compliance
The security team helps to provide compliance with GDPR and PCI.
Data Governance
The security team provides a data protection framework in the pursuit of data management and governance. Activities to this end include:
- Data classification
- Data inventory
- Data release review
- Data protection
Policy
The security team provides a comprehensive set of security policy and procedures to create governance and repeatability for security relevant processes, such as:
- Policy creation
- Policy management
- Policy exception
Risk Management
The security team provides a security risk management framework to identify and treat risk. The security team also provides security risk assessment and treatment services to the Foundation. This risk management framework includes:
- Risk identification
- Risk assessment
- Risk reporting
- Risk treatment