Information Security Assessment

Last Updated on

Reading time: 3 minutes

Conversations about information security are so awash in the myriad details of shiny objects, silver bullets, attacks, threats, risks, tools, tips, hacks, and one-size-fits-all solutions, it’s easy to lose sight of the fundamentals of security. For example, if I had to do a physical security assessment for a home, I’d need to know the people who use the home, and the ways they use it. Then I’d need to know the locations and types of doors and windows, perimeter fences and gates (or lack thereof), and other possible entry and exit points and their locking mechanisms. That’s all. The fundamentals are the same for an information security assessment, whether for a home or a multi-national organization.

Once we cut through all the noise, that’s the crux of information security, and those are the first questions to ask and answer. If these questions aren’t answered, or are answered incorrectly, no gadget, gizmo, or silver bullet can be properly configured or do its job effectively:

Who Are The People And What Do They Do?

“People” includes anyone with physical or virtual access: emergency service personnel, vendors, contractors, owners, directors, and anyone else who ever received and still may have physical or system access.

“What They Do” requires understanding every individual’s every organizational role; every organizational role, process, and person that manipulates data; the rules, policies, standards, and procedures that govern their behavior; the rules, policies, standards, and procedures they actually follow; and the overall culture of the organization. Some companies and people love rules, and they fall all over themselves to create, learn, and follow them. Some companies and people make a lifestyle and art form of bending, breaking, and ignoring rules, like it’s a sport.

What Are The Devices?

“Devices” include every piece of networked or connected hardware: servers, routers, firewalls, switches, PCs, laptops, iPads, phones, printers, automated lights and doors, televisions, signage systems, security systems and badges, conference room scheduling apparatus, refrigerators, toasters, Amazon Dash buttons, pacemakers, and “wearable” devices.

Finally, can you name more? I bet! Internet of Things, anyone?

What Are The Applications?

“Applications” include every installable or updatable piece of software running on any device that is accessible to or from a network: operating systems, device drivers, desktop applications, enterprise applications, helper applications, games — if it was installed and resides on a system as software and can be launched by a human or another piece of software, it must be inventoried and recognized as a part of the organizational footprint and a risk.

What Are The Points Of Access?

Every person, system, and application with a need to “phone home” or reach out to another system, inside or outside the periphery of the business, requires a point of exit or entry. Every one of these access points, if ignored, forgotten, improperly configured, or unmanaged, is a risk. This includes physical, virtual, and wireless access.

In summary, an increasing number of unknowns above reflects an increasing amount of information security risk. I’ve seen two organizations that appeared willing and able to answer these four questions accurately and consistently over time. Some wouldn’t have a prayer of accurately assembling the data in a month. Others couldn’t do it in a year of Sundays.

Consider And Act

  • Do you see a risk in your home’s or organization’s security posture?
  • Can you answer the 4 questions accurately, for your department at work, and its users?
  • Do you believe your company can answer these questions accurately for all its systems and users?
  • Can you answer these questions accurately for your home and its users — family, friends, maids, lawn or pool service, exterminator? Who else?
  • How do you know your answers are correct?
  • What would be necessary to know with certainty?
  • Finally, would the cost of measuring the risk or securing the assets exceed their value?
  • Let me know your thoughts:

Tags: , , , , ,

Last Updated on

Reading time: 3 minutes

Hi, I’m Dylan Cornelius.

I’ve spent my career helping Fortune 500 companies build custom products and change the lives of their employees and customers.

Now I teach people everywhere how to get great results, manage change, and change their lives, with product development, continuous improvement, and agile management practices of the best businesses.

It can work for self development, life problems, your fitness plan, and chronic illness. Of course, it can even help at work.

I was the first son of a new teen mom. By the time I was 2, she was a single mom of 2, living with her parents and working a retail job as a cashier at a pharmacy. She remarried by the time I was 4.

My stepfather adopted me and my brother. He worked in construction 7 days a week to support the family.

Throughout my childhood, I learned firsthand the value of hard work. I was first in my family to do many things, and I’ve often done them the hard way: college on student loans while living on campus at UC Berkeley, an MBA while working full time. Later in life I ran a marathon, then 4 more and counting… I’ve learned multiple definitions of ‘healthy diet plan’, first as I lost 50 pounds, then again after I earned an autoimmune diagnosis.

In graduate school, I concentrated in “Management of Innovation” — after all, I worked in Silicon Valley, and I’d grown up just down the road! It was there I learned we don’t have to work so hard, (but it helps)!

We don’t have to rely on trial and error or hope, or just settle for less than we really want.

There’s a better way to get great results and change your life.

Let me show you how to manage change, get great results, and change your life with product development, continuous improvement, and agile management practices of the best businesses.

Click here and start today with my free, no-obligation, ‘Clear Direction’ planning guide

Get Started with your free 'Clear Direction' Planning Guide.

Get Started with your free 'Clear Direction' Planning Guide.

Last Updated on

Reading time: 3 minutes

See how it can work for you.

Get on the road to great results.

Free support and updates.

Make a comment here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.