One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 409097 |
| Date de publication | 2017-08-22 15:51:29 (vue: 2017-08-22 15:51:29) |
| Titre | NBlog August 22 - what to ask in a gap assessment |
| Texte |  A relatively simple and naive question on the ISO27k Forum this morning set me thinking. "RP" asked:"Does anybody have a generic [set of] high level questions for business departments other than IT, that can be asked during gap assessment?"As is so often the way with newcomers to the Forum, RP evidently hasn't caught up with past Forum threads (e.g. we recently chatted about various forms of gap analysis, and the markedly different ways that people [including dentists!] use and interpret the term), paid scant attention to forum etiquette (e.g. he/she didn't tell us his/her name), and provided little to no context in which to address the question (e.g. what size and kind of organization is it? What industry/sector? Does it have a functional, certified and mature ISO27k ISMS already, is it working towards one, or is RP just idly thinking about it over coffee?).Despite that, a couple of us responded as best we could, making assumptions about the context, the meaning and purpose of the 'gap assessment', and RP's situation. I suggesting posing questions along these lines:"What kinds of information do you use? Tell me more. Which is the most important information for your business activities, and why? What would happen if it was lost, damaged, out of date, inaccurate, incomplete, misleading, fraudulent, or disclosed e.g. on the Web?Roughly how much of the information you handle is classified? How much is SECRET/TOP-SECRET? [You'd probably need to be security cleared, and have management support, to get a meaningful answer to that!]What information do you generate? What happens to it? Where does it go? Who uses it, and for what? Would it matter to them if it stopped coming, or was late, or inaccurate, or incomplete, or was disclosed on the Web?When was the last time you examined your information risks? What was the result? Show me! What changed as a result?When was the last time you completed a business impact analysis and business continuity p |
| Envoyé | Oui |
| Condensat | tell what 100 1999 about access acknowledge actions activities actually address adequately again agreements ahead all along already also analysis annoy another answer answers anton any anybody apparent apply approach archives are area arguably arising around ask ask: asked asked: asking assessment assessments associated assumed assuming assumption assumptions attention audit audits august awareness away aylward backed backups based basis before being best between beyond bias book business but can carefully case caught caused certified changed chatted check checks chorus classified cleared coffee colleagues comfort coming company completed compliance concern confident confirm consider context contingent continuity contracts cope corporate could couple course customized cyber damage damaged data date day dentists department departments despite determine devices did didn different disclosed displayed documentation does doing don done dragons drastic driven during elegant end ensure establishing etc etiquette even ever evidently examined examining exercise exercised extend finding first follow foray forging forming forms forum found foundation fraud fraudulent friend from function functional fundamental future game gap generate generic genuine get getting good governance greybeard guide guidelines had handle happen happened happens harming has hasn have he/she head here high hinting his/her hmmm how idly impact implicit important inaccurate inane inappropriate incident incidents including incomplete indeed industry/sector information interest interpret isms iso27k its just key kind kinds last last: review late later laws leading level like likely lines: little long lost lot made make making management mantra many markedly matter matters mature meaning meaningful means meant mention metrics mine misleading miss monitored more morning most much naive naivete name nblog near necessary need new newcomers none†not not: occurred often one open organization other ought out outreach over overtly paid participate particularly past patched people percentage perfectly perhaps planning plans plus point pointed policies posing post potentially presumably presumptive privacy probably procedures productive program prospects protect/secure prove provide provided purpose question questions quite recently regulations related relationship relationships relatively relevant remember remind report represents request requirements responded response result results review rightly rights risk risks roughly say scale scant scary secret secret/top secured security see seemingly seminar services set several shaking should show simple simply situation size some someone something speak stage starting stated step stopped strategy subtle such suggested suggesting suggests support system/network/app systems taking technologists tell term than that them these think thinking those threads time towards training treating turn turning turns understand:information unexpectedly usable use uses using usual valuable various walk way ways web well what when where which whisper who whole why wiped work working workshop worried worry worth would wrong you your zone “we |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.