You've established a robust security program in your organization and are feeling confident about keeping the bad guys off your network. But how do you effectively analyze how mature your security program actually is?
Randy Raw, Director of Information Security for Veterans United Home Loans, led a session with examples of concrete tools that can help you determine how your program stacks up against current threats.
He outlines seven keys to success as a starting point for establishing a plan:
- Start somewhere - even if it's from the bottom.
- Document what you have in place
- Perform a gap analysis of where you want to be
- Prepare a plan of how to close the gap
- Report and celebrate significant milestones
- Remember that you didn't get here overnight - and that you cant fix it overnight
He says the best way to assess your plan and establish a starting point for implementation is through the use of online tools. Raw recommends using the Center for Internet Security's Critical Security Controls or the Audit-Script Tool. Both provide detailed questions that allow you to access what tools you're already using and how effective they are at mitigating risk.
Raw advises that your plan be risk-based as, "you can't secure all the things all the times," he says in a colloquial manner.
However, he also says to stop going to bed with the weight of your organization on your shoulders. Positive planning equals positive results.
