Best Practices for Information Security Risk Assessments
open-ended questions that allow the interviewee a chance to explain the topic in-depth. This allows for a less restrictive and narrow-minded conversation, and provides a view into how the topic at hand fits into the entire business.
Ask Why
When interviews reveal that documentation does not match implementation, it is valuable to ask why. The well-known 5Y method states that in order to get to the root of an issue and not just deal with the symptoms, “Why?” should be asked approximately five times. By employing this mindset, the assessor often reveals the most useful insights to an organization.
In the example interview below, the symptoms of the issue include production downtime, lack of consistent testing and not enough headcount. The identified root issue is that there is not a documented method for conducting tests and a lack of adequate training in tasks. By asking “why” repeatedly, the assessor is able to change from a weaker recommendation regarding additional testing to a stronger one that identifies how to promote efficient testing with identified limited resources.
Original Recommendation: Additional testing should be performed before implementing changes in a production environment.
Recommendation After 5Y: Develop written testing procedures and include training of junior engineers in the principal engineer’s job responsibilities to encourage thorough and consistent testing before implementation of changes in a production environment.
Don’t Just Write, Communicate
Assessors are only as good as their reports. Written communication is key to a successful risk assessment, and it is important to know the audience of the assessment or sections of the assessment. For example, an executive summary should be written in a very different manner than a section meant for an information systems principal.
It is important to be as precise as possible, stating only findings and recommendations that can be proven as true, and avoiding inferred findings or recommendations. At the end of the day, putting all of the gathered findings and recommendations together in a clear manner will give the organization a valuable tool for making informed risk decisions in the future.
Kyle Chrzanowski is currently in AT&T Cybersecurity on the Cybersecurity Consulting team. In his role, Kyle works as a delivery consultant and has been immersed into various aspects of cybersecurity consulting, including marketing, sales training collateral, and governance, risk, compliance services. With additional experience in network engineering and cybersecurity marketing, he is viewed as a driven individual who aims to approach problems from a unique perspective and create innovative solutions with impactful and lasting change that help drive client growth. Kyle earned his Bachelor of Science from Georgia Institute of Technology and holds an Associate of (ISC)2 certification. Kyle started with AT&T in 2017 as part of the Cybersecurity Development Program (CDP) and plans to graduate in June 2020.
This guest blog is part of a Channel Futures sponsorship.
- Page 1
- Page 2