Information Security Assessment

Conversations about information security are so awash in the myriad details of shiny objects, silver bullets, attacks, threats, risks, tools, tips, hacks, and one-size-fits-all solutions, it’s easy to lose sight of the fundamentals of security. For example, if I had to perform a physical security assessment for a home, I’d need to know the people who use the home, and the ways they use it. Then I’d need to know the locations and types of doors and windows, perimeter fences and gates (or lack thereof), and other possible entry and exit points and their locking mechanisms. That’s all. The fundamentals are the same for an information security assessment, whether for a home or a multi-national organization.

Once we cut through all the noise, that’s the crux of information security, and those are the first questions to ask and answer. If these questions aren’t answered, or are answered incorrectly, no gadget, gizmo, or silver bullet can be properly configured or do its job effectively:

Who Are The People And What Do They Do?

“People” includes anyone with physical or virtual access: emergency service personnel, vendors, contractors, owners, directors, and anyone else who ever received and still may have physical or system access.

“What They Do” requires understanding every individual’s every organizational role; every organizational role, process, and person that manipulates data; the rules, policies, standards, and procedures that govern their behavior; the rules, policies, standards, and procedures they actually follow; and the overall culture of the organization. Some companies and people love rules, and they fall all over themselves to create, learn, and follow them. Some companies and people make a lifestyle and art form of bending, breaking, and ignoring rules, like it’s a sport.

What Are The Devices?

“Devices” include every piece of networked or connected hardware: servers, routers, firewalls, switches, PCs, laptops, iPads, phones, printers, automated lights and doors, televisions, signage systems, security systems and badges, conference room scheduling apparatus, refrigerators, toasters, Amazon Dash buttons, pacemakers, and “wearable” devices.

Finally, can you name more? I bet! Internet of Things, anyone?

What Are The Applications?

“Applications” include every installable or updatable piece of software running on any device that is accessible to or from a network: operating systems, device drivers, desktop applications, enterprise applications, helper applications, games — if it was installed and resides on a system as software and can be launched by a human or another piece of software, it must be inventoried and recognized as a part of the organizational footprint and a risk.

What Are The Points Of Access?

Every person, system, and application with a need to “phone home” or reach out to another system, inside or outside the periphery of the business, requires a point of exit or entry. Every one of these access points, if ignored, forgotten, improperly configured, or unmanaged, is a risk. This includes physical, virtual, and wireless access.

In summary, an increasing number of unknowns above reflects an increasing amount of information security risk. I’ve seen two organizations that appeared willing and able to answer these four questions accurately and consistently over time. Some wouldn’t have a prayer of accurately assembling the data in a month. Others couldn’t do it in a year of Sundays.

Consider And Act

  • Do you see a risk in your home’s or organization’s security posture?
  • Can you answer the 4 questions accurately, for your department at work, and its users?
  • Do you believe your company can answer these questions accurately for all its systems and users?
  • Can you answer these questions accurately for your home and its users — family, friends, maids, lawn or pool service, exterminator? Who else?
  • How do you know your answers are correct?
  • What would be necessary to know with certainty?
  • Finally, would the cost of measuring the risk or securing the assets exceed their value?
  • Let me know your thoughts:


Also published on Medium.

Tags: , , , , ,

Dylan Cornelius helps business people create laser-like focus on exactly what they want in their lives and businesses, re-invent themselves, their lifestyles, and their business systems to powerfully support getting those results, devise workable action plans to deliver the results, and master the skills necessary to build and sustain the results — all in 10 sessions over 4 months.

Our approach works because it enables anyone to quickly leverage fundamentals of sustainable change revealed in:
– a decade coaching individuals to breakthrough results in their lives, including weight and fitness, job and career, relationships and effectiveness, satisfaction and decision-making,
– more than two decades building products and leading large scale change for Fortune 500 companies including Dun & Bradstreet, Oracle, IBM, Accenture, Deloitte Consulting, Best Buy, Circuit City, CVS, Sears Holdings, Ross Stores (Dress For Less), and Applied Materials,
– training in neuroscience and human development at UC Berkeley, management of innovation at Santa Clara University, and ontology and phenomenology at Landmark Worldwide.

You care because any aspect of your life or business that does not serve you, your family, and community diminishes the gift you’ve been given in life.


Also published on Medium.

See what's possible in your work, business, and life.

See what's possible in your work, business, and life.

Get my free quiz now.

Your Email address is never shared. Unsubscribe anytime.


Also published on Medium.