What’s the first step in a cost-effective SOD analysis?
Perform an appropriate SOD assessment that will actually identify and define every existing issue. Then evaluate each issue against the organization’s tolerance for risk. If the risk of loss is small, the CEO may choose to accept it, or he or she may be satisfied that an existing control is sufficient. Having the knowledge will allow the CEO to make cost/benefit decisions for each issue. The best assessments are customized, but to save money and resources, start with an industry template and adapt it by actually performing walk-throughs of each activity. Not every issue is equal, so you can create mitigating controls for higher-risk areas. What is the next step? To truly assess the risk, review employees’ access to information, not just their job description. A good analysis should include what each employee can access, physically or via technology. Assume that if an employee is able to access a function or asset, it will be accessed. This is especially important in organizations with
