IT Governance & Cybersecurity Risk Assessment
Leading Contractor among the top 25 in Europe in the construction sector
The Client requested Macfin’s support in order to detect and represent its IT and cybersecurity risk profile according to a methodology / risks taxonomy that could be effectively shared between control functions, IT area and key process owners operating in the headquarter, foreign offices and production sites.
Goals
Assess
based on qualitative-quantitative metrics, the absolute exposure, the level of controls and the residual exposure for each risk in the scope, in order to define an audit program based on the actual risk profile
Evaluate
the adequacy of the Organizational and Control Model ex Legislative Decree 231/2001 to prevent cybercrime and copyright violations
Implement a risk taxonomy
in line with the characteristics of the organization, effectively shareable and, at the same time, consistent with COBIT framework
Activity
Definition of a custom taxonomy
including about 35 risks and related controls (IT governance, operations, cybersecurity) and its mapping with the COBIT standard classification consisting of about 110 risks and 210 controls
Mapping of the Business application systems
primary, secondary and general purpose for each business area (about 60 systems centrally managed, in addition to those operating locally in the main foreign offices) The mapping was used as context information in the risk assessment with the process owners
Risk assessment
with reference to 12 main process owners in different areas (bids, production, AFC, HR, acquisition, IT, etc.) and main foreign offices The activity was carried out in a self-assessment modality through the use of a tool for sharing the results with the process owners during the interview
Mapping of cybercrime and copyright violation risks
within the identified IT risks and evaluation of the adequacy with the provisions of the Organization and Control Model ex the Legislative Decree 231/2001 231/2001
Results
Cross-dissemination of risk culture
and IT control in different areas of the organization, overcoming the typical separation between technology and business risks
Definition of an IT risk report shared at all levels
of the organization and of immediate reading, through the contextualization of IT risk in the business operational processes
Identification of an IT risk assessment methodology
that can be retraced according to defined criteria and processes, thanks to knowledge transfer to control functions and references to the COBIT IT governance standard
REQUEST A MEETING
Would you like more information or request a meeting with our consultants?
REQUEST INFORMATION
ABOUT OUR SERVICES
Would you like to have more information about our services and solutions? Enter your data and we will contact you as soon as possible.
Other Success Cases
Setting the "231" Framework of an International Gaming Player
Industry & Services | ESG, Risk & Compliance
Design of a Risk Reporting solution of an Insurance Group
Insurance | Risk & Compliance
Setting the "GDPR" Framework of a State-owned company
Non-Profit & Public | Risk & Compliance