Starting a Risk Assessment and Vulnerability Management Program
Starting a Risk Assessment and Vulnerability Management Program
Implementing a risk assessment and vulnerability management program is vital to securing your corporate confidential data. The intent of a vulnerability management program is to ensure that current security issues within the company are identified, evaluated using a risk management approach, and dealt with in a cost-effective and efficient manner. As such, we have developed a few recommendations and suggestions to help get you started.
Identify. Develop a data classification scheme and an inventory of all data collected, stored, and/or transmitted. Consider the value, purpose, age and usefulness of information for each of these.
Confidential (Highly sensitive information): Most important data that will have a major financial, reputational, legal, operational etc. impact if it is disclosed.
Restricted (Medium level of sensitivity): Data that the general public should not have access to but will not have the same impact as confidential data if it is disclosed.
Public (Non-sensitive information): Data that has no impact if disclosed.
Analyze. Consider how data is stored: Is it physically stored? (i.e. desk drawers, filing cabinets, mail room, and home offices); or is it electronically stored? (i.e. desktops, laptops, servers, PDAs, cell phones, USB drives, CD/DVDs, and other flash memory devices). Once you have established how your data is stored, you must determine how your data moves and by what storage medium each classification is accessed.
Evaluate the following:
Is the data accessible on the corporate network?
Can the device access the corporate network?
Who has access to the data or device?
Does the data or device leave the office?
Is the data or device accessible off-site?
Remediate. Identify the controls you have in place and determine if your risks have been properly mitigated. At the minimum, make sure some of these prescribed controls are in place:
Intrusion detection/event monitoring devices have been deployed.
All endpoint computers have security software installed and updated (antivirus, antispyware, firewall, updates, and patches).
Ensure that electronic data is automatically backed-up and stored off site by scheduling your data deployment ahead of time; sensitive data, however, should be encrypted and protected from outside access.
Access controls have been developed and implemented.
Attack and penetration tests are being utilized.
Portable storage devices cannot be connected to endpoint machines and download sensitive data without authorization.
Validate. Information security is an ongoing process and management should always continue to gather external and internal intelligence to assess the nature of threats to their data. Always evaluate the costs and benefits of different security methods while consistently considering management's risk threshold and soon you will be on your way to having a consistent vulnerability management program.
The A-B-C's of Residential Rental Property Management in Washington, DC Arthritis Pain Management Top Benefits of Using Database Management System SCADA- An Ultimate Process for Water Management System Sourcelink Hosting – Best Document Management Solution for Quickbooks Services Offered By London Debt Collectors And Credit Management Companies How outsourcing risk management functions can help an organization? Supply Chain Management Solutions for the Technology Sector Property Management Consultants to Take Care of Your Property Top 7 Important Management Principles for Alternative Work Schedule Corporate IT Training For Management Choose Content Management System According to Compatibility Stress Management 101