One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1430943 |
| Date de publication | 2019-10-28 13:00:00 (vue: 2019-10-28 15:00:16) |
| Titre | Lessons learned conducting an information security risk assessment |
| Texte |
In an age where businesses are relying more than ever on the rapid advancements in technology to drive innovation, strategy, growth and competitive advantage, it is clear the prevalence of technology is not slowing down. But the increase in new devices and systems that utilize connectivity, as well as the transition to the network of devices and systems that were traditionally air-gapped, brings with it an increased cybersecurity risk.
Organizations large and small are attempting to defend against a constant barrage of potentially damaging cybersecurity attacks and struggling to keep up. Increasingly, they are finding that the best approach is taking a proactive, risk-based approach. By repeatedly conducting risk assessments, a holistic understanding of the organization’s risk landscape can be developed, and gaps that exist between people, processes and technology can be utilized to develop a prioritized roadmap for managing and tracking risk over time. The organizations gain the ability to make informed business decisions and move away from a reactive, whack-a-mole approach to cybersecurity.[endif]---->
Policies and procedures are the foundation
Strong cybersecurity policies and procedures are the foundation of a robust security program. A risk assessor can glean a significant amount of insight into the maturity of an organization’s cybersecurity program simply by looking at a few key areas of cybersecurity policies and procedures, such as those areas identified in the graphic below. They allow the assessor to gain valuable insight on the culture of cybersecurity within the organization, the reporting structure within the organization, the types of technologies present within the organization, and ultimately allows the assessor to drive discovery of information efficiently. This quick and efficient information discovery is especially important for external assessors or those that don’t already have an intimate understanding of the organization.
Documentation is not implementation
Having a strong cybersecurity posture on paper does not mean much if it is not implemented. It’s why conducting interviews of personnel is so important in a risk assessment and why the phrase “Trust but verify” is often half-facetiously repeated by cybersecurity professionals.
When seeking to verify through conducting interviews, it’s tempting to simply go down a list of specific and tailored questions, likely from a framework or compliance standard. Questions like “Does your organization implement a cybersecurity training and awareness training program?”, are to the point, brief, and answer the question asked by the assessment framework, but are not the best way to conduct interviews. Risk assessments are not audits and getting a yes/no answer to a question is not nearly as valuable as taking the time to develop a comprehensive understanding. By having a guided cybersecurity conversation and not simply going through a list of questions, an assessor is able to glean more information on an organization’s risk and develop more valuable findings and recommendations.
Start broad and go narrow
When conducting interviews, start at a ten-thousand-foot level of the topic being discussed, then use the framework as a general guide to steer the conversation and narrow down on specifics. As seen in the below example, the risk assessor should first ask open-ended questions that allow the interviewee a chance to explain the topic in-depth. This allows for a less restrictive and narrow-minded conversation and gives a potential view into how the topic at hand fits into the entire business.
|
| Envoyé | Oui |
| Condensat | “does “trust “why 5y: ability able additional adequate advancements advantage after against age air all allow allows already amount answer approach approximately are areas ask asked asking assessment assessments assessment assessor assessors attacks attempting audience audits avoiding awareness away barrage based before being below best between brief brings broad business businesses but can chance change changes clear communicate communication competitive compliance comprehensive conduct conducting connectivity consistent constant conversation culture cybersecurity damaging day deal decisions defend depth develop developed devices different discovery discussed documentation documented does don’t down downtime drive efficient efficiently employing encourage end ended endif engineer’s engineers enough entire environment especially ever example executive exist explain external facetiously finding findings first fits five foot foundation foundation framework from future gain gapped gaps gathered general get getting give gives glean going good graphic growth guide guided half hand have having headcount holistic how identified identifies implement implementation implemented implementing important include increase increased increasingly inferred information informed innovation insight insights interviewee interviews intimate issue it’s job just keep key know known lack landscape large learned less lessons level like likely limited list looking make making managing manner match maturity mean meant method minded mindset mole more most move much narrow nearly network new not often one only open order organization organization’s organizations original over paper people performed personnel phrase point policies possible posture potential potentially precise present prevalence principal principle prioritized proactive procedures processes production professionals program promote proven putting question questions quick rapid reactive recommendation recommendation: recommendations regarding relying repeated repeatedly report reporting resources responsibilities restrictive reveal reveals risk roadmap robust root section sections security seeking seen should significant simply slowing small specific specifics standard start states stating steer strategy strong stronger structure struggling successful such summary symptoms systems tailored taking tasks technologies technology tempting ten testing tests than then thorough those thousand through time times together tool topic tracking traditionally training transition true types ultimately understanding use useful utilize utilized valuable verify verify” very view way weaker well whack when where why will within write writing written yes/no your |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.