Menu
Building an Enterprise Security Program in 10 Simple Steps

Building an Enterprise Security Program in 10 Simple Steps

The complexity of today's technologies, regulations, business processes, security threats and a multitude of other factors greatly increases the risks faced by businesses today. These tips for building an enterprise security program (ESP) can help.

Step 4: Assess Threats, Vulnerabilities and Risks

Threats are sources of danger to information assets. It is important to list all the pertinent threats, categorize them, and rank them based on their importance. Vulnerabilities are weaknesses or flaws in the system that can be exercised, inadvertently or intentionally, to cause a security breach. Vulnerabilities exist in people, processes, and technologies. Making a list of applicable vulnerabilities and ranking them based on their impact to the organization is advisable.

Risks are possible events or conditions that could have undesirable outcomes for the organization. Risks occur at the intersection of threats and vulnerabilities. For example, the technological vulnerability in Microsoft Outlook combined with the vulnerability resulting from people opening unknown attachments can be exploited by the threat of the Mydoom virus to create the risk of loss of network bandwidth.

Step 5: Manage Risks

Risk management focuses on avoiding, mitigating or transferring risks. It starts with a list of risks which are categorized according to the likelihood of their occurrence and their impact to the organization. The likelihood and the impact together determine how these risks are prioritized. A high-impact risk with a high likelihood of occurrence is a high-priority risk to the organization.

Once the risks are prioritized, they can be dealt with in one of several ways. For example, the risk of attack by the Mydoom virus can be avoided by using Lotus Notes instead of Outlook, mitigated by installing the latest anti-virus software and training people not to open suspect attachments, or transferred by contracting with a third-party vendor to provide all e-mail needs.

Step 6: Create an Incident Management and Disaster Recovery Plan

Security breaches, unintentional loss of IT assets, accidental deletion of critical data, or power outage in a data center are examples of incidents. A good incident response plan clearly identifies what needs to be done, for the most common incidents.

Incidents that are catastrophic in nature call for a disaster recovery (DR) plan. Following the 9/11 attacks and Hurricane Katrina, several affected businesses with no such plan in place were unable to resume business.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags enterprise security

Show Comments
[]