Sunday, August 13, 2006

Creating an Atmosphere of Risk Management : Part II

Continuing from yesterdays post, here are the beginning steps every company must perform to begin the process of Creating an Atmosphere of Risk Management:

Perform an IT Risk Assessment. If you haven't assessed the risks within yourenvironmentt, you cannot begin to build the controls needed to adequately control them. Any policies instituted without this foundation, are at best without support. The interviewing process of a proper Risk Assessment will also help to begin the awareness that this is indeed a serious process that the corporation is 100% invested in.

Classify Your Data. The military does this well. How can you possibly control access to your data if you don't know what type of data it is. Do you have regulated data within your company that must follow certain standards? How abouHuman ResourceHR data? How about Board Minutes? Financial Data? Marketing Plans? All of these must be put into classifications. Oh, and by the way, I am not talking just about computer data, I mean ALL data. That loan file you left on your desk during lunch? Not acceptable.

Set up an IT Steering Committee. If you don't have this, you need to start one now. Besides overseeing that the mandate of Information Technology is following the strategic mission of the corporation, but this Committee is also where the standards for security should be ratified.

Set up Board Reporting. Each and every meeting of the Board of Directors should contain a time period in which the overall IT Security Risk is reported and evaluated. This futhers the top down approach needed to bring about total awareness.

Perform Regular Testing and Training. Regular testing of security controls, especially performing regular Social Engineering testing is paramount to building awareness.

In my next post, we'll start the next step, which is Creating the Physical Security Perimeter . . . .

Technorati Tags:

No comments: