Start with the general and work your way down to the particular. Ask yourself--and the executives, managers, and department heads--about your company's business plan. Your company's annual report is a useful and often overlooked source for such information (and a good overview of your company structure).
A hint: Don't simply distribute a questionnaire with a deadline slapped onto it. You'll most likely get back a rushed response, probably even delegated to someone who doesn't have all the answers (or the time or inclination to answer). Set up meetings and interview people. This strategy has the added bonus that it will get them thinking about security--even after you're gone.
In addition, an excellent tool for a security analysis is Microsoft's free Security Advisor (ITASecur.exe) from its IT Advisor series. You can download the file here.
Weigh the value of the asset
When doing risk assessment, always keep in mind that to determine the risk, you have to determine the value. The more valuable the asset is, the greater the need for its security. This may seem pretty obvious, but it's something that people often lose sight of. It's also not always obvious what those "assets" are.
Here's an example: A consultant interviewed the CEO of a large corporation. At the end of a fruitful discussion, both were pretty certain they had it all covered. It was over coffee that the CEO proudly revealed that his company is working on a new product that's sure to take the market by storm. Further investigation by the consultant revealed that engineers working on the product carried around highly confidential information on their laptops related to the product development--unencrypted. E-mail about the project was not encrypted either.
Once you have the bigger picture about your company's structure, business processes, communications, assets, and so on, you'll have a good idea what needs to be secured. Now is the time for the IT department to sit down and discuss the best ways to secure those assets and processes. Also, establish immediate, short-term, medium-term, and long-term goals.
It's also the time to determine the need for training. Is your IT department up to all the tasks, or is training needed?
Once implemented, monitor the security set-up on an ongoing basis. And review your security plan regularly, because as companies change, so does the security landscape.
Security plan summary
1. Get backing
2. Plan before you start
3. Have a structured, but open-ended approach
4. Consult widely
5. Implement
6. Monitor
7. Revisit, review, and redo
What does your risk assessment entail? TalkBack below or e-mail us.
[an error occurred while processing this directive]
