Technology Risk Management Services Offered

● Project Scope/Goals & Objectives Statement
● Directory of Stakeholders
● Key Deliverables/Achievements
● Work breakdown structure - identifying phases, key milestones
● Timeline
● Budget
● Risks/Issues management plan
● Communication Plan - Stakeholder interactions, reviews, reporting
● Quality Standards or Plan
● Assumptions / Constraints

01 Planning & Alignment

Risk Cypher will support the development of the Technology Risk Management Program implementation project schedule, identifying key milestones, stakeholders, and communication frequencies as needed and directed by the client.

● Obtain alignment on IT Governance Structure
● Develop a RACI chart for program development across 1st / 2nd Line of Defense
● Design and establish a review and challenge program (process, procedures, template, observation tracking) to facilitate effective 2LOD ERM review

02 TRM Framework: Strategy and Governance

Risk Cypher will support the development of a TRM Framework that will outline the program's strategic objectives and governance model.

Policy
●Information Technology Service Management
●Information Security Management
●Technology Risk Management

Standards
●Risk & Control Testing Standards (ToD/ToE)
●Third-Party Risk Management
●Training & Awareness
●Logical Access Management
●Technology Asset Management
●Incident & Problem Management
●Data Security (Classification, Handling, DLP)
● Etc.

03 Policies, Procedures, and Standards

Risk Cypher will support the re-design, enhancements, and development of core governance documentation as needed and directed by the client.

Development of a single source of reference for policies, procedures, and standards that are in dispersed locations (targeted in a GRC Module)

Support in the development of standardized Management Control Program documentation and associated documentation for identified ISP domains

04 ISP Program Management

Risk Cypher will support developing and enhancing an Information Security Program and implementing related management control programs as needed and directed by the client.

● Performance of a gap analysis on existing risks and controls to relevant organizational and regulatory frameworks (NIST CSF / 500-83, GLBA, NIST RMF)
● Development and communication of a consolidated and consistent controls library
● Development of a Controls Library to be imported within a module of the target GRC platform
● Develop a control testing program (ToD, ToE) as aligned with the ongoing IT RCSA program
● Develop centralized control effectiveness reporting program (including procedure) as aligned with the overall IT Risk & Security Reporting program

05 Controls Management

Risk Cypher will support the development of an integrated Technology Controls Management program as needed and directed by the client.

● Development of a Risk Assessment Standard, procedures, and guidelines which cover risk identification, risk analysis, risk ranking, treatment, remediation, and acceptance
● Enhance and define requirements around Risk Appetite, Risk Aggregation, Risk Concentration, Risk Limits, and Risk Limit Breaches
● Creation of an enterprise-wide IT Risk assessment calendar

06 Risk Assessment

Risk Cypher will support the enhancement of the risk assessment program as needed and directed by the client.

Develop Issues Management Standard, procedures, and guidelines which covers risk identification, risk analysis, risk ranking, treatment, remediation, and acceptance

07 Risk Identification / Issues Management

Risk Cypher will support the enhancement and formalization of the risk identification and issues management program as needed and directed by the client.

● Define, develop, and communicate a calendar of quality assurance activities
● Develop, implement, and monitor a process to measure compliance with CNB’s established policies, standards, and controls
● Conduct testing and quality assurance activities as defined by the QA calendar

08 Risk Oversight & Program Quality Assurance

Risk Cypher will support the development of CNB risk oversight and program quality assurance activities as needed and directed by the client.

● Enhance the current IT & Security and Risk Reporting Program and develop future state program elements (Procedures, templates, methodology)
● Identify new reporting requirements and target state metric goals for key process owners
● Propose and Integrate Key Risk Indicators for adequate risk coverage and support by regulatory expectations and industry standards

09 Risk & Security Reporting

Risk Cypher will support the development of an IT Risk & Security Monitoring and Reporting program as needed and directed by the client.

● Development of a Vendor Risk / Third-Party Risk Management Standard
● Identify new Vendor Risk / Third-Party Risk Management requirements and target state metric goals for key process owners

10 Vendor / Third-Party Risk Management

Risk Cypher will support the development of a Vendor Risk / Third-Party Risk Management program as needed and directed by the

● Support completion of platform functionality and costing analysis (lead by GRC / ERM)
● Support in gathering business requirements for desired GRC platform process implementation
● Support in the development of a project plan/schedule for GRC platform development
● Integration of TRM teams (1st and 2nd line of defense) with enterprise GRC platform implementation objectives and project lifecycle
● Provide design and enterprise solution architectural support
● Lead implementation efforts for identified key GRC processes (if additional platform/tools selected)
● Reconfigure GRC tool(s) to incorporate TRM framework components (if an existing tool is selected)
● Enhance process automation through the design of integrated program workflows

11 GRC / IRM Platform Implementation / Configuration

Risk Cypher will implement their GRC platform of choice (as needed) and directed by the client.