Establish risk assessments and mitigation paths

Completed

Lots of organizations use risk assessments to make sure their cyber security is top-notch. If your organization already has one, it's a good idea to take a look at it before making anything new for Microsoft Power Platform.

The last thing you want is to create something for Power Platform that doesn't fit with your overall cyber security plan. So, check what you've got, and make sure everything lines up nicely.

Otherwise, the following sections highlight some considerations that you can use to establish a lightweight risk assessment process that helps you track, measure, and monitor the risks within your organization.

Establish baseline through standards

In organizations, it's important to set clear rules and guidelines. If you want the folks who create stuff (makers) to follow what the organization expects, you need to spell out what's okay and what's not.

But here's the thing, if people don't know these rules exist, they can't follow them. So, it's a good idea to make these rules visible. You can put them on an intranet site or a wiki. You can even let folks know about them automatically when they're creating their first flow or app. We'll talk more about this in another part of this module.

Implement governance controls to prevent unwanted actions

Governance is only useful if it's enforced. An organization needs to establish base rules and constraints to avoid data ending up where it shouldn't.

Establish an exception process

Situations might occur where a legitimate business need exists for a specific action or activity to be permitted. However, it's important that the decision to proceed is documented with the right level of visibility by people who have the authority to make that decision.

Track exceptions

Accumulating risks without the ability to measure an organization's overall exposure becomes a futile exercise. To effectively manage risks and strive for continuous improvement, organizations must track exceptions, assess their impact, assign responsibility for addressing risks, and regularly review them.

Some organizations leverage Microsoft Power Platform to facilitate this process. As discussed in the Introduction to the Microsoft Power Platform security and governance module, the Center of Excellence Starter Kit includes the Developer Compliance Center. This tool aids organizations in controlling the deployment of new applications and encourages app creators to justify the necessity of their apps. It's a systematic approach to maintaining control and ensuring the purposeful existence of each app.

Review and report exceptions regularly

To encourage the right actions, it's vital to make risks clear and understandable. If folks don't see how risks could actually affect things or have consequences, they might not see a reason to change what they're doing.

When you have a clear view of the risks in your organization, it helps managers assess whether they're okay with how much risk there's or if they need to make changes. It's like having a good view through the windshield to drive safely.