Loading ...
Step 3 : Risk Assessment
Now we need to consider the threats, both actual and perceived. Identify and discuss them, then list cost-effective solutions. In the solutions identify what is needed and possible methods to implement the solution. After all threats have been identified you might find a single solution that will address more than one threat, or might create a new threat.
Look at both internal and external threats, malicious and accidental threats, physical and entirely logical threats. Sadly just defending the perimeter is not enough in today’s security defense structure. If an attacker can gain access to an internal device, locally or remotely, then all perimeter defenses are in effect null and void. We need to protect the border yes, but we also need to protect the internal hosts.
Qualify what is acceptable risk. Remember all risk can not be avoided, there is going to be residue risk always. How much are we willing to accept, how much are we going to mitigate and how much are we going to transfer? Too often management who do not truly understand risk want to totally eliminate risk with a minimal budget. This is not going to happen. Mitigation and transfer have costs, and what you do not mitigate or transfer you are left to deal with or account for.
Step 4 : Resolve Implementation Planning
Now is the time to start planning the repairs or fixes. First plan, What MUST be done?, How long will it take to reach this objective?, and What is the measurement to say we were successful? Second account for the fact this is the right method and Lastly budget enough resources Financial, Human, and Time. required to implement the solution. Hold off the quick draw from the hip and running off and performing the fix immediately. Look for cross contamination, be aware that some solutions might create or worsen current problems. No solution is self contained, they will have costs and ramifications on other related topics.
Step 5 : Resolve Projects
Now that all solutions have been documented, planned, assessed, justified and budgeted for, now we can start implementing the solutions. “Hi Ho Silver, and off to the rescue we go” Be very aware to time lines budget overruns, and ramification effects.
If project 10 relies on project 8, and project 8 is two weeks behind schedule then we simply can NOT expect project 10 to start or complete on time. Make sure that there is one person tasked to monitor the projects and measure the project completion status and budget usage.
Do NOT forget to plan user training especially on the new processes and procedures that have been implemented. Check that the new procedure is in fact being followed and not old habits. Review and update all policies, procedures and rules to account for the solutions, and train. Too often we just expect others to follow the new procedures and yet they do not know anything about the changes.
Step 6 : Audit review and plan for the next Assessment
CONGRATULATIONS ! ! You have just started ! WHAT ? ? ?
Yes it is time to start the process again. Do not get me wrong, accept the new changes, reward the improvements. But then re start the next project ensuring that the implementation to the inital findings have been resolved and that in fact the initial list of findings have been reduced.
Neatly close off the current audit. Ensure all steps have been clearly documented and addressed. Plan for the next audit, and monitor that the new policies and procedures are effective.
