Data leaks and cyber attacks are two of the latest corporate threats that need to be avoided. Carrying out a company IT security assessment is one way to avoid these two threats. Have you done it?
Steps to carry out a company IT assessment
Identify and catalog corporate information assets
Make sure you have a complete list of information assets and their primary responsibilities across all departments. After that, classify data assets based on the level of sensitivity and strategic importance of the assets for the company. Have a dialogue with administrators in all departments so that you get accurate and complete information. Once the data is classified, focus on the most sensitive data and look for the most effective ways to handle it.
Identify threats
Threats to a company’s information security can come in many forms. That’s why you need to make a list of all the unique threats your company faces, such as:
- Intentional human intervention (e.g. hacking, phishing)
- Accidental human intervention (example: employee accidentally downloading malware)
- System failure (for example: outdated hardware, software not updated)
- Beyond human control (e.g. power outages, natural disasters)
Identify vulnerabilities
Vulnerabilities can be discovered through audits, penetration testing, security analysis, automated vulnerability scanning tools, or the NIST vulnerability database. Identification of vulnerabilities also needs to be carried out regarding company policies and employee negligence. For example, employees use company electronic devices outside the office.
Analyze internal controls
You may implement technical controls such as computers, encryption, or tools to detect hackers or other intrusions. Control can also be carried out non-technically by implementing security policies.
Determine the likelihood of an incident occurring
Assess and classify the risk of each vulnerability into high, medium, and low categories. The three important pillars that need to be categorized are assets, threats faced by assets, and controls to overcome these threats.
Assess the impact of a threat
This step, called an impact analysis, must be completed for every vulnerability and threat that has been identified, no matter how likely it is to occur.
Impact analysis includes 3 things, namely:
- System mission, including the processes implemented by the system
- Critical level of the system, determined by its value and the value of its data to the company
- Sensitivity of the system and its data
Consider the quantitative and qualitative impact of an event to get a complete picture. By taking into account the 3 factors above, you can determine the threat category – high, medium or low impact on your company. If an incident occurs, this impact analysis helps you prioritize those risks in the next steps.
Prioritize risks to company information security
Map risks that have severe consequences as high priority, and risks that are unlikely to occur and have small consequences as low priority.
Design mitigation measures
Based on the priorities that have been recorded and detailed, you can make plans to mitigate the most pressing risks. Involve the people who will be responsible for implementing these controls in order to effectively mitigate or eliminate risks.
Collaborate with senior management and IT so that risk controls and ways of dealing with them are aligned with the risk management plan and the company’s overall goals. Also invest time and money in training your employees about these IT mitigations.
Document the results of the company’s IT security assessment
After all the steps above have been carried out, write a report documenting all the results of your assessment. The report should support recommended budget and policy changes to improve the company’s IT security.
Company IT security that is regularly assessed increases the success of the security program. So you can make the right decision for every incident that occurs.
Hypernet is ready to provide professional service assistance that has deep expertise in overcoming IT security problems. Contact CS for more information.