|
We generaly assess information
security risks by facilitating and leading a workshop (sometimes
a short series of workshops) involving staff from the business
and information technology departments (including the information
security function for those clients having the luxury of being
able to call on their own specialists).
The aim of the workshops is to generate a comprehensive description of the information security threats, vulnerabilities and impacts, generaly across the three areas of confidentiality, integrity and availability. Depending on the level of information security expertise within the client organisation, we may be personaly involved in more detailed information gathering to confirm the nature of the risks within the particular technical and business environments concerned. Key risks and then key controls are determined through a systematic and iterative process of analysis, design and reassessment, culminating in a proposed and cost-justified implementation plan. The rigour of this process gives the business people confidence that their information security risks will be minimised at a reasonable cost, while the technologists have their opportunity to be creative in designing system controls and procedures that will realy work. A spin-off benefit of this service is that client staff gain a better understanding of information security risks, and can lead their own risk assessments. |
Close |
