Need help taking effective measures?
Taking effective measures is a permanent concern of the management. From a perspective of innovation, a company wants to be ahead of the competition and from a cost control point of view, the company wants to have an overview and insight into the general controls on the IT cloud platform and the application controls of the applications that become business use.
The legislator encourages the management to organize its business activities effectively with business processes in which control measures are included “by design” with the aim of effectively protecting (personal) data. Protecting data means that the data is reliable, confidential and accessible. In addition, management can take responsibility for ensuring that the data is effectively protected.
What is our approach?
The nature and scope of the business activities and the existing organisation of the activities using business processes and supporting IT provide the context for identifying and assessing the effectiveness of the control measures. After consulting the findings with employees and suppliers of supporting IT systems, we advise on how the control measures aimed at protecting data can be organized more effectively. Depending on the business situation, we can recognize the following steps:
Step 1: The context explains the existing business situation, relevant legislation and gives direction to what is necessary and what is possible. Overview and insight into the business activities form the expectations for business processes in which control measures are included. Using the company compliance function, a picture is created of the effectiveness of the management and security measures taken.
Step 2: The department management and employees are valuable sources of information for estimating the effectiveness of the business processes and control measures included therein. By hearing these employees seriously, we not only hope for a source of information, but we prepare the employees for any changes in the organization of the company activities. A prerequisite for unlocking this source is to bring the knowledge to the desired level among the employees. We use targeted awareness and training programs for this.
Step 3: The technical information infrastructure is the business platform on which the management organizes the business activities. More and more companies are using popular platforms such as MS Azure, Google Cloud and Amazon Web Services to build and manage their business platforms. The – in principle – data-driven platforms offer a range of control measures that can be set up simply, cost-efficiently and effectively.
Step 4: On the business platform, the company organizes the business activities using business processes that include control measures. The overview and insight into the business processes in which the roles with tasks, powers and responsibilities are included, the process models, provide an integral picture of access rules to data. From the integral picture, we distill the control measures that we can expect in the applications.
Step 5: IT applications support the process models. Sometimes these are generic functions such as administration or human resources that are supported by generic applications. There are also primary business functions that are self-developed or developed by IT vendors based on functional and non-functional specifications.
Step 6: In particular, the non-functional specifications indicate which agreements have been made about the security and control measures. The project documentation and compliance findings indicate to what extent the control measures are effective.
Step 7: In the previous steps, we have already discussed the findings of the business compliance function. Working together with the company compliance function provides a good picture of the appropriateness and effectiveness of the control measures taken.
Step 8: The report often consists of a report of findings, an advice in which scenarios are worked out, a plan of action in outline and a business case. The report has been drawn up in collaboration with the relevant department management and employees. This gives the report a realistic level and there is often sufficient support for the realization of the recommendations.
Every business organization is different and requires customization.
Sometimes there are reasons why management needs confirmation that the management and security measures are adequate. If confirmation is not forthcoming, the management wishes to have insight into the management and security measures to be taken and how to take these measures responsibly. A good conversation can be enough to allay uncertainty.
Submit your question to our experts
Questions about our services? Feel free to contact us, we are happy to help you.