Data normalization is taking two to three data sets, whether they’re in databases or reports, and combining those data sets into one streamline database. This could consist of removing duplicate entries or creating a common scale within those data sets, and just streamlining and making the two or three different data sets efficient. So how does data normalization relate to enterprise risks?
With enterprise risk, we’re not just looking at cyber risks, we’re also looking at operation and regulatory risk or legal risk. So as an enterprise, you’re trying to combine all that together and prioritize it across the enterprise. You have different business objectives when it comes to your operations on the floor to protection for cyber security, and to balance those is what we’re looking at to use for data normalization. All of the enterprise risks rolls up to upper management, maybe a board or an enterprise risk manager.
Why is it difficult to prioritize remediation efforts from the outcome of multiple assessments?
Often within these different multiple assessments, the assessors, or the firm, or internally use different measures or different scales. Some of the assessments might take into account the impact to revenue. Others might take into a high, medium, or risk score, or use SLAs. As a result, the organization has to take the different reports and then try to prioritize them when they’re using different measures to calculate risk. It’s hard to prioritize a revenue impact over an SLA impact. And so what we want to do is somehow come up to a common scale that we’re assessing all the different findings across the organization.
Organizations should start by defining their business objectives and collecting what obligations they have, whether it’s regulatory or legal or contractual obligations, or possibly even board or investor obligations, and putting those business objectives and obligations down into a risk criteria and risk acceptance process where we’re taking where we’re developing our common scale. Then we can use that common scale as a process to evaluate all the inputs from all the different assessments.
Take all those different data sets with the different scales, and then run them through the enterprise risk management criteria that you would define knowing how that impacts your business objectives and obligations. Now you have standardized those different reports to one format, and that format is how the findings, or their risk, impact your objectives and your obligations, not what the auditors have said.
For example, take the data sets of protecting patient care over credit card numbers, and that credit card data is different. So the control needs to be prioritized different. And if your objectives are to protect healthcare, then we would look at the findings from these different audits different than we would if it was to protect credit card data.
Organizing and Tracking Remediation
Risk assessments often come in PDF formats, Word docs, and sometimes in PowerPoint presentations. All of these different findings must be correlated and collected into one unified format. From there, the organization must set what’s reasonable risk and come up with calculations of a sort to determine how to prioritize the risk. A simple technique for this kind of presentation is a min-max data normalization.
A min-max data normalization takes all the different variables and tries to put them in a score between zero and one. Take, for example, that there’s a risk scale between one and 25, and another assessment uses a maturity model of one to five. So the minimum of the first one is one and the max is five. And on the other one, the minimum is one and the max is 25. With min-maxing, you’re trying to get all the findings in each one of those data sets down to a zero and a one. It’s very simple math.
Another way is a manual method where you look at what you’ve defined for your likelihoods and your impact, and you assess the outputs from all these other reports. If you have a subject matter expert within your organization that could take your criteria and do a reassessment according to your criteria, then absolutely bring them on board.
Have any questions about how data normalization can help your organization evaluate and assess enterprise risks? Please contact us at any time!