Security Capability Assessment

/ Comment /  26 views /        

Risk Assessment/Management
Does your organization:

  • Regularly perform vulnerability assessments?
  • Act on the results of a vulnerability assessment in a timely manner?
  • Identify critical information assets?
  • Identify the threats to critical information assets?
  • Determine the financial and other impacts of a successful attack on critical information assets?
  • Evaluate and manage your information security risks on an ongoing basis? In other words, are risks to critical information assets managed in a similar fashion to other key business risks?

Management/Policy
Does your organization:

  • Have a security policy (both IT and physical) established by senior managers?
  • Link your security policies to specific business objectives and specific risk areas?
  • Inform all managers at all levels of their responsibilities regarding security, including policy enforcement?
  • Include security as a regular agenda topic at management and staff meetings?
  • Ensure that all users receive training in your organization’s security policy, as well as penalties and consequences for non-compliance, prior to receiving an account on any system?
  • Periodically conduct an independent audit of organizational compliance with security policies?

System and Network Management
Does your organization:

  • Assign, manage, and update user identities and access permissions?
  • Control system and network changes, and manage system and network configuration, including selecting, testing, and applying high priority patches?
  • Regularly scan for viruses/worms/ Trojan horses/ denial of service agents on servers, desktop systems, laptop systems, and mobile devices?
  • Monitor for, detect, report, and act on suspicious files/behaviors/ events including user reports?
  • Actively work to contain the damage caused by a virus/worm/Trojan horse?
  • Recover/restore files, systems, and networks compromised in an attack in a timely manner?

Corporate Security
Does your organization:

  • Require identification and authentication for accessing your work facilities/buildings?
  • Have business continuity and disaster recovery plans in place?
  • Provide training to employees on identifying suspicious packages, behaviors, persons and events, and alerting security personnel?
  • Require human resources to conduct background checks on all new hires?

Source:
CSO Magazine and CERT Security Capability Assessment Tool
CSO Magazine

Subject: Security Questions
Like this content? Why not share it?
Share on FacebookTweet about this on TwitterShare on LinkedInBuffer this pagePin on PinterestShare on Redditshare on TumblrShare on StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.