Concise Diagnostic
If your doctor can diagnose most common ailments with a one hour checkup, why does it take at least a week for most consultants to identify the key issues with your Information Security program? Our Concise Diagnostic diagnoses the majority of significant issues a security program may be facing in around one hour of your time.
How? We have used our experience working with many different organizations to identify areas where simple questions can reveal significant underlying issues in the way that your program is managed and maintained. We call these Iceberg Questions as these issues exist largely below the surface. Examples of the questions included in our diagnostic are:
How many of your information security policies are fully implemented?
Many organizations have documented security policies, but have never managed to fully implement them. A policy that has not been implemented can be a liability in court, and is worth very little to an organization. For a policy to be fully implemented means both that it has been communicated to all relevant parties, and that controls exist to detect non-compliance and take appropriate action.
What was the last policy exception that was approved, and who approved it?
Older software, business needs or jurisdictional differences may mean that a policy cannot be fully complied with across an entire enterprise. In these situations, an exception should be documented and the risk approved by appropriately senior management. Any organization that has not identified any policy exceptions is almost certain to have areas of unmanaged risk and will likely have to remediate exceptions in the event of an audit.
How frequently does your head of Information Security report to the Board or Executive Management?
A good indication for how seriously Information Security is taken by an organization is the extent that Executive Management is aware of and involved in Information Security decisions. Many Information Security managers do not get a chance to report on their progress and challenges to the highest levels of an organization. This can leave them without a voice or channel to gain support or manage expectations.
Concise Focus
Our focus is on the areas of a security program that have an impact on achieving broader business goals. We do not ask how long your passwords are, rather, we focus on the big picture: Has a password standard been defined and implemented across all key systems and is it being enforced? Our full diagnostic has 15 questions, and takes about an hour for one of our experienced security consultants to facilitate 1-on-1. Following the interview, we provide a summary report showing key risk areas and recommended actions for improvement.
How? We have used our experience working with many different organizations to identify areas where simple questions can reveal significant underlying issues in the way that your program is managed and maintained. We call these Iceberg Questions as these issues exist largely below the surface. Examples of the questions included in our diagnostic are:
How many of your information security policies are fully implemented?
Many organizations have documented security policies, but have never managed to fully implement them. A policy that has not been implemented can be a liability in court, and is worth very little to an organization. For a policy to be fully implemented means both that it has been communicated to all relevant parties, and that controls exist to detect non-compliance and take appropriate action.
What was the last policy exception that was approved, and who approved it?
Older software, business needs or jurisdictional differences may mean that a policy cannot be fully complied with across an entire enterprise. In these situations, an exception should be documented and the risk approved by appropriately senior management. Any organization that has not identified any policy exceptions is almost certain to have areas of unmanaged risk and will likely have to remediate exceptions in the event of an audit.
How frequently does your head of Information Security report to the Board or Executive Management?
A good indication for how seriously Information Security is taken by an organization is the extent that Executive Management is aware of and involved in Information Security decisions. Many Information Security managers do not get a chance to report on their progress and challenges to the highest levels of an organization. This can leave them without a voice or channel to gain support or manage expectations.
Concise Focus
Our focus is on the areas of a security program that have an impact on achieving broader business goals. We do not ask how long your passwords are, rather, we focus on the big picture: Has a password standard been defined and implemented across all key systems and is it being enforced? Our full diagnostic has 15 questions, and takes about an hour for one of our experienced security consultants to facilitate 1-on-1. Following the interview, we provide a summary report showing key risk areas and recommended actions for improvement.