Search

US-12626207-B2 - System and method for integrating a data risk management engine and an intelligent graph platform

US12626207B2US 12626207 B2US12626207 B2US 12626207B2US-12626207-B2

Abstract

The invention relates to computer-implemented systems and methods for data risk management that provides traceability across governing artifacts which is key to driving effective data risk management and achieving compliance to policy, standards and controls. An embodiment of the present invention is directed to a standardized data risk taxonomy, harmonized classification schema, policy and standard hierarchy, control catalog and standard of care. These components facilitate an alignment to a full information lifecycle with a common definition of data risk, traceability across governing artifacts (e.g., obligations, policies, standards, risks, controls, etc.) and standardized catalogs with defined treatment across harmonized classification of assets.

Inventors

  • Joao Pedro Seixas CALADO
  • Osman Santos Figueroa
  • Michael James Henzey
  • Ranjan Vivek Mannige

Assignees

  • KPMG LLP

Dates

Publication Date
20260512
Application Date
20220829

Claims (20)

  1. 1 . A computer-implemented system for data risk management, the system comprising: an interface coupled to a client environment; a graph database that stores and manages a variety of data, wherein the variety of data comprises one or more of the following data types: at least one obligation represented by at least a portion of an entire law or regulation; at least one industry best practice represented by at least a portion of an entire industry best practice document; at least one mandate represented by one or more individual requirements identified from the at least one obligation and the at least one industry best practice; at least one policy represented by one or more documents within an organization that establishes one or more high-level operational requirements; at least one policy statement represented by one or more individual requirements identified from one or more policies; at least one standard represented by one or more documents subservient to a parent policy within an organization that contains more detailed requirements than its parent policy; at least one standard statement represented by one or more individual requirements identified from the at least one standard; at least one risk represented by one or more risk statements that identify and describe a particular potential manifestation of a threat and its impact upon an organization; at least one control objective represented by one or more control statements describing activities that must be conducted in order to mitigate risk and/or to satisfy one or more mandates wherein one or more control objectives are derived from the one or more control statements; at least one control represented by documentation of activities that are performed to mitigate risk and/or to satisfy one or more mandates; at least one asset represented by things of value within an organization that require governance, protection and management; at least one key control indicator represented by a numerical measure of performance of one or more controls; a set of sensitivity classification tiers represented by a series of sensitivity labels that are associated with one or more control objectives indicating that at least one control objective applies to an identified sensitivity tier; and a set of criticality classification tiers represented by a series of criticality labels that are associated with one or more control objectives indicating that at least one control objective applies to an identified criticality tier; an intelligent graph platform coupled to the graph database, the intelligent graph platform representing how data is structured through a plurality of connected relationships; and a data risk management engine comprising a computer processor and coupled to the interface and the intelligent graph platform, the data risk management engine configured to perform the steps of: receiving a query that identifies a dataset based upon one or more pre-configured rules; responsive to the query, identifying and displaying a curated dataset based upon an entered sensitivity classification tier wherein a first population of control objectives that have previously been associated with the entered sensitivity tier are collated; identifying and displaying another curated dataset based upon an entered criticality classification tier wherein a second population of control objectives that have previously been associated with the entered criticality classification tier are collated; responsive to the query for sensitivity and criticality tier, (1) identifying at least one gap in one or more sensitivity controls comprising encryption and access control and (2) producing a set of expected control objectives for data commensurate with the identified sensitivity tier and identified criticality tier, and in light of the identified at least one gap; generating a graphical representation illustrating a first set of relationships between one or more of: the control objectives, the policies, the policy statements, the standards, the standard statements, the mandates, the obligations, and the industry best practices; modeling a plurality of relationships between components comprising the control objectives and information from the client environment; running one or more what-if analyses, based on the modeled plurality of relationships, with at least one change within a data risk ecosystem to determine hypothetical upstream and downstream impacts; generating a graphical representation illustrating the modeled plurality of relationships and highlighting the identified at least one gap; transmitting the graphical representations to an interactive user interface through a communication network; and implementing at least one sensitivity control based on the set of expected control objectives, the at least one sensitivity control configured to secure data by implementation of one or more of in-transit edge encryption, encryption at rest, and crypto key access and management.
  2. 2 . The system of claim 1 , wherein the request is a query comprising one or more custom search parameters.
  3. 3 . The system of claim 1 , wherein the request relates to one or more of: control gap identification, a control assessment, policy and standard management, scenario analysis, risk metrics analysis, computational risk management, and client custom model.
  4. 4 . The system of claim 1 , wherein the entire law or regulation comprises the Gramm-Leach Bliley Act and wherein the entire industry best practice document comprises Control Objectives for Information Technologies published by ISACA (Information Systems Audit and Control Association).
  5. 5 . The system of claim 1 , wherein the things of value comprise: computer hardware, computer software, applications and data/information.
  6. 6 . The system of claim 1 , wherein the series of sensitivity labels comprise: restricted, confidential, nonpublic and public.
  7. 7 . The system of claim 1 , wherein the series of criticality labels comprise: enterprise critical data, line of business critical data and noncritical data.
  8. 8 . The system of claim 1 , wherein entering a high sensitivity tier returns a population of control objectives comprising encryption and access control to be satisfied by documenting and performing controls and wherein a low sensitivity classification tier returns a smaller population of control objectives.
  9. 9 . The system of claim 1 , wherein entering a high criticality classification tier returns a population of control objectives comprising data lineage and data quality to be satisfied by documenting and performing controls and wherein a low criticality classification tier returns a smaller population of control objectives to be satisfied.
  10. 10 . The system of claim 1 , wherein the client environment comprises: controls and metadata about controls, assets and metadata about assets.
  11. 11 . A computer-implemented method for data risk management, the method comprising the steps of: storing and managing, in a graph database, a variety of data, wherein the graph database is coupled to an intelligent graph platform that represents how data is structured through a plurality of connected relationships, and wherein the variety of data comprises one or more of the following data types: at least one obligation represented by at least a portion of an entire law or regulation; at least one industry best practice represented by at least a portion of an entire industry best practice document; at least one mandate represented by one or more individual requirements identified from the at least one obligation and the at least one industry best practice; at least one policy represented by one or more documents within an organization that establishes one or more high-level operational requirements; at least one policy statement represented by one or more individual requirements identified from one or more policies; at least one standard represented by one or more documents subservient to a parent policy within an organization that contains more detailed requirements than its parent policy; at least one standard statement represented by one or more individual requirements identified from the at least one standard; at least one risk represented by one or more risk statements that identify and describe a particular potential manifestation of a threat and its impact upon an organization; at least one control objective represented by one or more control statements describing activities that must be conducted in order to mitigate risk and/or to satisfy one or more mandates wherein one or more control objectives are derived from the one or more control statements; at least one control represented by documentation of activities that are performed to mitigate risk and/or to satisfy one or more mandates; at least one asset represented by things of value within an organization that require governance, protection and management; at least one key control indicator represented by a numerical measure of performance of one or more controls; a set of sensitivity classification tiers represented by a series of sensitivity labels that are associated with one or more control objectives indicating that at least one control objective applies to an identified sensitivity tier; and a set of criticality classification tiers represented by a series of criticality labels that are associated with one or more control objectives indicating that at least one control objective applies to an identified criticality tier; receiving, via an interface coupled to a client environment, a query that identifies a dataset based upon one or more pre-configured rules; responsive to the query, identifying and displaying, via a data risk management engine, a curated dataset based upon an entered sensitivity classification tier wherein a first population of control objectives that have previously been associated with the entered sensitivity tier are collated; identifying and displaying another curated dataset based upon an entered criticality classification tier wherein a second population of control objectives that have previously been associated with the entered criticality classification tier are collated; responsive to the query for sensitivity and criticality tier, (1) identifying at least one gap in one or more sensitivity controls comprising encryption and access control and (2) producing a set of expected control objectives for data commensurate with the identified sensitivity tier and identified criticality tier, and in light of the identified at least one gap; generating a graphical representation illustrating a first set of relationships between one or more of: the control objectives, the policies, the policy statements, the standards, the standard statements, the mandates, the obligations, and the industry best practices; modeling a plurality of relationships between components comprising the control objectives and information from the client environment; running one or more what-if analyses, based on the modeled plurality of relationships, with at least one change within a data risk ecosystem to determine hypothetical upstream and downstream impacts; generating a graphical representation illustrating the modeled plurality of relationships and highlighting the identified at least one gap; displaying, via an interactive user interface, the graphical representations through a communication network; and implementing at least one sensitivity control based on the set of expected control objectives, the at least one sensitivity control configured to secure data by implementation of one or more of in-transit edge encryption, encryption at rest, and crypto key access and management.
  12. 12 . The method of claim 11 , wherein the request is a query comprising one or more custom search parameters.
  13. 13 . The method of claim 11 , wherein the request relates to one or more of: control gap identification, a control assessment, policy and standard management, scenario analysis, risk metrics analysis, computational risk management, and client custom model.
  14. 14 . The method of claim 11 , wherein the entire law or regulation comprises the Gramm-Leach Bliley Act and wherein the entire industry best practice document comprises Control Objectives for Information Technologies published by ISACA (Information Systems Audit and Control Association).
  15. 15 . The method of claim 11 , wherein the things of value comprise: computer hardware, computer software, applications and data/information.
  16. 16 . The method of claim 11 , wherein the series of sensitivity labels comprise: restricted, confidential, nonpublic and public.
  17. 17 . The method of claim 11 , wherein the series of criticality labels comprise: enterprise critical data, line of business critical data and noncritical data.
  18. 18 . The method of claim 11 , wherein entering a high sensitivity tier returns a population of control objectives comprising encryption and access control to be satisfied by documenting and performing controls and wherein a low sensitivity classification tier returns a smaller population of control objectives.
  19. 19 . The method of claim 11 , wherein entering a high criticality classification tier returns a population of control objectives comprising data lineage and data quality to be satisfied by documenting and performing controls and wherein a low criticality classification tier returns a smaller population of control objectives to be satisfied.
  20. 20 . The method of claim 11 , wherein the client environment comprises: controls and metadata about controls, assets and metadata about assets.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims priority to U.S. Provisional Application Ser. No. 63/237,610, filed Aug. 27, 2021, the contents of which are incorporated by reference herein in their entirety. FIELD OF THE INVENTION The present invention relates to systems and methods for effective data risk management and compliance to obligations (external and/or internal), policy, standards, risks and controls through a standardized data risk taxonomy, harmonized classification schema, policy and standard hierarchy, control catalog and standard of care. This enables coverage and traceability, prioritization of assets to bring under governance, quantification of risk profiles and alignment to a data risk taxonomy, real-time reporting and monitoring of data risk and control environment, and further sets the foundation for data driven predictive analytics to infer causal relationships and impact to an organizations risk profile. BACKGROUND In recent years, organizations have deployed a variety of capabilities to understand, manage and use data to drive business growth, improve operating efficiencies and introduce specialized products and personalized services for their customers. This expansion in the use and monetization of data has become an urgent focus of regulators. As external pressures increase to hold organizations and executives accountable to govern and protect data in their control, many organizations are facing challenges with how to effectively and sustainably manage data-related risks. Accordingly, with current systems, data and processes, there are challenges relating to coverage issues, fragmented governance, prioritization of assets to deploy appropriate controls, assurance levels and harmonized classification frameworks. Coverage issues relate to data risk being a distributed discipline with accountabilities sitting with team members across the organization making it challenging to effectively manage and report on data risk holistically. Oftentimes, accountability is either unclear or distributed across the organization without a consistent data risk taxonomy pulling it all together. Fragmented governance refers to disparate and siloed policies and standards that lack cohesion and clear guidance on meeting internal and external obligations. For example, a single organization may rely on many different policies, some with varying (or non-existent) definitions on classification levels and governance. There is an abundance of controls and metrics to monitor compliance with policies and standards but also confusion over ownership and integration across the organization and how they help to reduce risk exposure. Current systems face challenges aggregating, reconciling, analyzing and applying different methods for categorizing (e.g., criticality, sensitivity) and treating data. Prioritization of assets refers to an organization's desire to deploy controls in a systematic, pragmatic and defensible manner with often competing business priorities and limited resources. While many approaches deployed by organizations today either prioritize based on perceived risk reduction or the value generated by the asset, most do not account for both and further do not provide a methodology that would stand up to scrutiny by other parties. An additional complication is the struggle to measure data risk in a quantifiable fashion—as opposed to qualitative measures—in a manner that is scalable, sustainable and comprehensive. In an effort to provide an organization's senior leadership with information to make decisions that prioritize spend and avoid or mitigate risk, data risk management professionals often provide either subjective (e.g., low, medium and high) ratings that rely mainly on judgment of the data risk professional, or they report “proxy metrics” (e.g., an assortment of metrics collected from systems—for instance, how many alerts were issued by the data loss prevention system). However, these “proxy metrics” fail to provide a comprehensive picture of the data risk position for the organization. Moreover, they are often not aligned to an organizational hierarchy that enables efficient aggregation for reporting purposes. It would be desirable, therefore, to have a system and method that could overcome the foregoing disadvantages of known systems and improve data risk management and compliance with obligations, policy and standards as well as seamlessly incorporate data risk metrics. SUMMARY According to an embodiment, the invention relates to a computer-implemented system for data risk management. The system comprises: an interface coupled to a client environment; a graph database that stores and manages a variety of data, wherein the variety of data comprises one or more of the following data types: at least one obligation represented by at least a portion of an entire law or regulation; at least one industry best practice represented by at least a portion of an entire industry best practi