In this video, Kip Boyle explains how to take the analysis of an information security program and determine the top five risks an organization faces in the current landscape.
- [Instructor] To find your top risks, focus once again, on the level at which you set your target scores. For me, that's the activity level in the NIST cyber security framework. The activities are listed on the left side of the screen, in the order they appear in the framework. That is, this list is sorted by function, and then by activity. You can see each function has its own color, and the unique ID for each activity, begins with the function code. For example, Asset Management, is in the identify function, so its function code is ID.
Using the gaps we calculated in the previous video, we'll now sort this list by gap size, from highest to lowest. And here it is. A rank ordered list, of all the activities we measured from largest gap to smallest. Taking a look at the top five gaps, we can see there's a mix of activities from the detect, respond and recover functions. To understand what's causing your gaps, you'll need to review the scores at the next level below your reporting groups. For me, that's the outcome level.
Let's examine the top risk more closely. Security Continuous Monitoring, which is part of the detect function. Here's the score card for our weakest activity. Right away, you can see there's a lot of yellow. So there's no single problem area. But if we look closely, there are two outcomes with scores of three. Monitoring external service provider activity, and regular vulnerability scans. Later in the course, we'll cover how to find the best opportunities for improvement.
By the way, the black cells in column two mean that this organization did not score five of the eleven outcomes in this activity. The decision that these were not applicable, was made early in the process, before the questionnaires were prepared, and data was gathered. While we're at it, make sure you check to see what are your top five areas of strength. You'll find out easily, when you reverse the sorted list from smallest gap to largest. Review scores at the next level below to isolate what's driving the strengths.
Then, go back to your experts and their management team, and thank them for providing you with strong controls.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance