The Heartbleed Bug

As many of you may have heard, a new vulnerability was recently discovered in OpenSSL cryptographic software library. This new vulnerability is known as the Heartbleed Bug.  This Heartbleed bug could allow the information protected, under normal conditions, by the SSL/TLS encryption to be stolen.  In simple terms, this means that the majority of websites on the Internet are at risk of leaking confidential information, even if the connection is via an encrypted session (HTTPS).

The following is an excerpt from, which provides complete details about the vulnerability:

What is leaked: Primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked: Secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

What is leaked:  protected content and how to recover?

 This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

What is leaked: collateral and how to recover?

 Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.

According to the documentation regarding this vulnerability, the following versions of OpenSSL are at risk:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

The bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

If your web server is running a version of OpenSSL that is vulnerable, we strongly encourage you to upgrade to a secured version of OpenSSL today and confirm that your web server SSL is using the upgraded version.  In addition, other encryption products that use the OpenSSL library could also be at risk and should also be addressed.

For complete details about this vulnerability, visit

Posted in Uncategorized | Leave a comment

Identity Theft Armageddon is Coming

Jim Stickley, Chief Technology Officer

Recently, there has been a lot of press regarding the Target credit card breach, and this has lead to many questions regarding just how vulnerable the entire credit card payment system really is. Now, in case you are unaware of how Target was breached, the basic facts are this. Hackers were able to load malware onto the Point of Sale (POS) servers on Target’s network. This malware was specifically designed to monitor the payment processing software loaded on the devices and then watch the card data as it was being processed in plain text in the memory of the server.

How the malware actually ended up on the servers is still up for debate. It appears that a third party vendor may have been compromised, and then through this vendor, the hackers were able to gain access to the Target network. Other security experts say that it’s highly unlikely that a third party vendor would have had access to the POS servers; therefore, it’s not possible that this is how this attack started. While I am interested to read the final report that gives the actual steps the hackers took, the simple fact is that this type of attack has brought sophisticated malware to mainstream hacking and the beginning of a whole new era of targeted malware attacks.

While malware that is designed to target a specific type of application is not new, for the most part it has been used to target the average online banking consumer. In most cases, the malware would end up on a person’s PC and simply wait until they logged into their online banking account. Then, once the person logged in, the malware would begin passing commands to the online account on behalf of the user, without the user’s knowledge. When this attack first came out, it was extremely successful in automatically transferring funds out of unsuspecting victim’s bank accounts.

IT GRC Newsletter

Of course financial institutions fought back and implemented additional layers of security to help reduce the risk of these types of attacks. For example, when a person attempts to transfer funds out of their account, an additional security challenge is presented in an attempt to thwart automated malware. And, while hackers do still come up with ingenious ways to bypass these additional layers of security, overall the success rate of these targeted malware attacks has declined.

However, something happened a few years ago, and it has set-in-motion the beginning of a new trend in hacking. An extremely specific type of malware was created, ended up on Iranian servers, and just so happened to be involved in their nuclear program. The malware was given the name Stuxnet. What made this malware so special was that its whole purpose was to wreak havoc on Iran’s nuclear program.  There have been numerous white papers and even some fantastic YouTube videos released that show exactly how the malware worked. The premise is simple. As data is engineered into a piece of software, the malware manipulates that data. So, as far as the engineer was concerned, everything looked like it was supposed to. In reality, the numbers entered were way out of whack and when executed caused devastating consequences.

So how do Iran, Target and a bunch of hacked banks accounts come together to change the entire future of hacking? Hackers have now been given the blueprints to create absolute identity theft armageddon. Sound a little overblown? Well, maybe, but I will let you be the judge.

Information Security I TraceSecurity

Identity thieves have one primary purpose and that is to make money. The problem for these criminals is that their overall success is often limited to a very short window of time. Take, for example, the Target breach. Sure there was an estimated 70 million card numbers stolen, but within days, Target had sent these numbers to every financial institution in the United States. The card numbers were deactivated, and new cards were issued. Were some of the numbers used before they were deactivated? Absolutely, but the reality is that more money was lost in the cost to financial institutions having to re-issue new cards then in actual money stolen via the cards themselves. So, while the attack itself was both sophisticated and extremely successful, the overall monitory value of the attack was relatively limited.

Now, you have a large number of cyber criminals who have been closely watching this story unfold. They have seen just how successful the attack itself was. But, at the same time realize that just because it was easy for the malware to steal all this information, in the end the payoff was limited due to rapid deactivation. The Target breach made it clearly that targeting a large organization with malware designed specifically to attack a particular application is a far faster way to gain access to millions of records, than to attack the home user and gain access to one bank account at a time. Remember, malware targeting the home user’s online banking is facing more and more challenges.

So, if you’re a cyber criminal you have to be thinking to yourself, why are we wasting our time stealing credit card numbers that can simply be deactivated when we can just as easily go after social security numbers? Think about it. When it comes right down to it, each of our identities are nothing more than a simple social security number. Need a loan? You will provide your social. Want a credit card? Again, it’s the social. Dealing with the IRS? Yep, you are nothing more than 9 numeric digits and a couple of dashes. Now, add in the fact that unlike a credit card, you’re stuck with your social security number for life. If your social security number gets stolen, all you can do is attempt a fraud watch and hope that’s enough to keep you protected.

Give a man a fish and he eats for a day. Give an identity thief a credit card, and he steals for a day. Give him the social security number of an unsuspecting person, and he can rip them off numerous times for life. This is because even if the person finds out they have become a victim of identity theft and start to clean everything up, the criminal can simply put that social security number aside. Then in five or six years, they can come back and start all over because the person’s name will probably still be the same and yes, the social security number will also still be the same. Think I am making this up? Reach out to your local social security office and ask them if you can change your number. Unless you just happened to join the witness protection program, it’s not happening.

NIST TraceSecurity

Sure, financial institutions, health care facilities and accountants are all going to be primary targets, but don’t forget about all those general businesses out there that allow people to setup credit cards or apply for loans. Car dealerships and department stores are great examples of organizations that are just waiting for hackers to start their attack. The list of course is endless, and as you read this, I am sure you can think of numerous other organizations that handle social security numbers. The point is that criminals have an unlimited supply of potential targets and can create targeted malware to take each of these companies down one at a time.

As these breaches start happening and organizations are forced to disclose that social security numbers have been stolen, they will do what it takes to defuse the PR nightmare. In most cases, they will offer six months to a year of a free credit watch service. This will give the average person a false sense of security, and people will move on with their lives. Unfortunately, when that year is up, most people will not have the money to pay to keep the credit watch service active, so the service will be discontinued. And what happened to the stolen social security numbers? It’s not like the criminal who stole them just threw them out. In many cases, they will sell them to other criminals who are willing to wait to use them with the understanding that it’s not a matter of if these numbers will be useful but only a matter of when.

I have spent the past 25 years working in the cyber crime field and have seen many types of attacks come and go. The difference between those attacks of the past and what is coming in the future is that there is little to nothing the average person will be able to do to defend themselves, and this has been proven over the past several months. Even the most secure organizations are still vulnerable to attack.  As targeted malware begins to siphon off millions of social security numbers from organizations all over the United States, the ability to truly track real identities from fake ones will become so blurred that the entire system as we know it will simply fail.

Still believe this is overblown? Only time will tell. In the meantime, I can only hope that all organizations will attempt to learn from what has happened with these other public breaches and stop attempting to simply meet some poorly-constructed regulation, and instead actually attempt to properly secure the confidential information they collect. This doesn’t have to end with identity theft armageddon, but without organizations taking a much more comprehensive look at their security practices, I personally am not overly optimistic about the security of my identity in the future.

Posted in compliance, Information Security Program, Risk Management, Securing your digital information | Tagged , , , , , | Leave a comment

The Current Threat Model to Information Security

Josh Stone, Director of Product Management and Information Security Expert

The security industry is a sea of constant change, with the last two decades providing lots of waves. The end-user and workstations are the next key attack vector. We believe this transition to be a result of operating system (OS) and infrastructure vendors figuring out protection. For example, there hasn’t been a “juicy” Windows vulnerability since 2008.

Java, browsers and document viewers are the next layer of software that has operating system-like capabilities but to date has not had the same level of security engineering. Attackers made OS vendors get up-to-speed, so now they must move into this next layer. Hopefully, one day the entire stack will be strong, and only the user will remain; however, we are not there yet.

The largest challenge will be securing your endpoints. Workstations are already behind your firewall and offer a fantastic entry point for a single malicious URL. Antivirus and IDS/IPS help, but for targeted attacks, you may not get as much help from your automated systems as you’d hoped.

Here are a few things to evaluate for your organization:

1. Start the war on local admin.

It is no longer the case that your endpoint is an unimportant component of your infrastructure, and the risk-level exceeds the need for everyone to have their own favorite screensavers. If malware can escape the Java jail and compromise the workstation, you want it running as anything but local administrator. We recognize that this is a difficult win but worth the effort. We have recently spoken with a customer who described an 8 to 10x reduction in desktop-related incidents solely resulting from the demotion of users to a non-privileged status.

2. Build a window into your network’s behavior.

The best tool you can have to detect an incident is not a magic software solution. It’s an understanding of what is normal. If you do not know what is normal, then you cannot notice when things are abnormal. For example, get Netflow up and running and then glance at the top talkers on the network every morning. In two minutes of effort each day, you will be in the perfect position to detect a compromised system that is behaving strangely.

IT GRC Newsletter

3. Look at your endpoint solutions to make sure you have something that is a little more than normal antivirus.

Solutions use various names, but it will sound something like “network threat protection” or “endpoint protection”, etc. Some antivirus products are starting to look more like HIDS/HIPS, and that is a good thing! You may already have it, but audits will often find that it is disabled.

4. Make sure your event logging sources are turned on.

Many organizations have their security event logs disabled. You may not be willing or able to centralize workstation logs, but you do want to have them for analysis. In 2013, I personally consulted on three incidents where the bit trails ended at a system with no logs. That is the worst way to find out!

Posted in Information Security Program, Risk Management, Securing your digital information | Tagged , , , , | Leave a comment

Meaningful Use for Electronic Health Records (EHR)

Meaningful use aims to protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities. Eligible professionals must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR reporting period and attest to that conduct or review.

Security updates would be required if any security deficiencies are identified during the risk assessment. Security updates could include updated software for certified EHR technology to be implemented as soon as available, changes in workflow processes or storage methods, or any other necessary corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk assessment.

Meaningful use does not impose new or expanded requirements on the HIPAA Security Rule, nor does it require specific use of every certification and standard that is included in the EHR technology. There is no single method or “best practice” that guarantees compliance, but most risk assessments and risk management processes have steps in common:

  • Review the existing security infrastructure in your medical practice against legal requirements and industry best practices
  • Identify potential threats to patient privacy and security and assess the impact on the confidentiality, integrity and availability of your ePHI
  • Prioritize risks based on the severity of their impact on your patients and practice

Once you have completed these steps, create an action plan to make your practice better at protecting patients’ health information. Make sure your assessment examines risks specific to your practice. Your risk assessment may reveal that you need to update your system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective actions to eliminate identified security deficiencies.

After the risk assessment is complete for your practice’s facility and information technology, you will need to develop and implement safeguards to mitigate or lower the risks of your ePHI. For example, if you want to assure continuous access to patient information, you may need to add a power surge protection strip to prevent damage to sensitive equipment from electric power surges, put the computer server in a locked room, and become meticulous about performing information systems backups.

The Security Rule requires that you put into place reasonable and appropriate administrative, physical and technical safeguards to protect your patients’ ePHI. The Security Rule allows you to tailor security policies, procedures, and technologies for safeguarding ePHI based on your medical practice’s size, complexity, and capabilities – as well as its technical, hardware and software infrastructure.

Click here for a Security Risk Analysis Tipsheet. Content has been adapted from the HHS Office of the National Coordinator on Health Information Technology’s Guide to Privacy and Security of Health Information. The tipsheet includes examples of safeguards and processes you might put in place to mitigate security risks to your practice, common myths about conducting a risk assessment, as well as facts and tips that can help you structure your risk analysis process.



U.S. Department of Health and Human Services Office for Civil Rights

Posted in Information Security Program, IS Risk Assessment, Risk Assessment, Risk Management, Risk Management Programs, Securing your digital information | Tagged , , , | Leave a comment

TraceSecurity Newsletter: Your Connection to IT GRC News and Issues

We’re telling a new story to the market: where IT GRC is the new business imperative, helping to secure companies like never before. It starts with understanding what the market need has evolved into and why it’s so important. That’s where TraceSecurity comes in. We help you make sense of the IT GRC landscape and how to leverage it all for a more secure enterprise.

Please enjoy our new monthly newsletter that brings educational and relevant content to the IT GRC revolution.

December 2013 Issue

January 2014 Issue

February 2014 Issue

March 2014 Issue

April 2014 Issue

IT GRC Newsletter

Posted in Newsletter | Tagged , , , | Leave a comment

SANS 20 Critical Security Controls – Simplifying the security standard

Josh Stone, Director of Product Management

New standards and compliance requirements are always coming out. But, once in a great while, one of these strikes a chord with the right industry representatives and gains immediate ascendancy among the various standards and best practices already available. One you may have heard a little about already is the SANS 20 Critical  Security Controls. This is an excellent standard that should receive immediate attention in your organization. Why is that? I’ll present three reasons you should consider adopting the SANS 20 Critical Security Controls in your environment:

  1. A real-world perspective – many standards emanate from sources that emphasize the abstract, managerial, or strategic aspects of information security. While those are important, the SANS 20 Critical Security Controls standard takes a very hands-on approach, and builds in the “real-world” steps that you can take to really reduce your risk. Other standards still have their place, but if you want a list of 20 things on which you can take immediate action that will definitely reduce your risk, you need look no further.
  2. Regulator recognition – TraceSecurity has received significant feedback from a number of clients that industry regulatory examiners, external auditors, and other sources are asking about this standard more and more, over time. One explanation is the brevity of the standard; with 20 items to check for, and supported by an information security powerhouse like SANS, compliance is an achievable goal and effective audit and review is straightforward. It behooves you to review this standard before you hear about it in your next audit.
  3. Supplemental guidance – SANS has built this standard with the recognition that no one will have all 20 controls operating at maximum effectiveness. Everyone will need to work on something. One way they’ve made things easier is by documenting a large body of supplemental information for each of the 20 controls. You can find advice for “quick wins” all the way through measuring and monitoring at a maximum implementation level for each one. We have found that the materials provided with the 20 controls is often more valuable than the control list itself.

Will the 20 Critical Controls guarantee that you’re secure, and that you can’t be hacked? No – information security is always an arms race, and there’ll always be a way in. But, this new standard gives you an actionable framework to dramatically reduce your risk in an achievable, step-by-step manner. Check out the standard for free at

Posted in Information Security Program, IS Risk, IS Risk Assessment, Risk Assessment, Risk Management, Risk Management Programs, Uncategorized | Leave a comment

Efficient Audit and Compliance Management

TraceSecurity believes current audit and compliance management challenges will be eliminated when organizations place priority on protecting their proprietary and customer information. This is why TraceSecurity focuses on strategic information security risk management that leads to a streamlined audit process and compliance by default.

Once an organization has completed a risk assessment they can map identified controls to their specific compliance requirements and authority documents. Along with the proper policies and processes, audit and compliance management becomes streamlined – eliminating manual and redundant tasks, providing the necessary visibility and accountability and brings compliance awareness to the forefront.

Using a cloud-based software solution, like TraceCSO – TraceSecurity’s flagship product, all of your IT GRC functions can be centrally managed and assignments are dispersed across the organization for appropriate department participation.

Audit and Compliance I TraceSecurity

As assignments are completed, automatic and real-time updates result in simplified audit and compliance management and reporting.

Lack of resources and information security expertise are no longer a hindrance. TraceSecurity is leading the market and transforming IT GRC into a mainstream business application for organizations of all sizes and industries.

For more information on how TraceSecurity can help you automate and simplify your audit and compliance management, visit today.

Posted in compliance, Information Security Program, Risk Management, Risk Management Programs | Tagged , , , , , , , | Leave a comment

NIST 800 Risk Assessments

Using the NIST 800-30 assessment framework to address your organization’s information security risk management will separate assets into distinct and integrated tiers that help to streamline the risk assessment process and to reduce the organization’s inventory of threats and controls.

While the National Institute of Standards and Technology, or NIST, provides guidance for categorizing assets, determining impact levels and security control baselines, we encourage you to adapt their ideas to your own environment and use them consistently for future comparisons.

Striking a balance between a comprehensive approach and one that is succinct enough to produce meaningful results can be a challenge. The NIST 800 framework suggests starting at the highest possible level and moving progressively, over time, to a more detailed view. Their multi-tiered approach, where risk is viewed from three distinct levels: the organization level, the business process level and the information system level, enables you to present risk at differing levels of granularity.

NIST 800 Risk Assessment

Performing your risk assessment in layers, from the top down, provides incremental progress towards a more effective strategy. Once your organization places the furthest-reaching and most important controls in place, your organization should then move to the next level and get more granular in its risk analysis.

Information system risk assessments are crucial for every company, especially in this technologically-driven society. By using the NIST 800 risk assessment framework, companies can get a better grasp on how to keep their information as secure as possible.

For more information on risk assessments, visit today.

Posted in IS Risk Assessment, Risk Assessment, Risk Management, Risk Management Programs | Tagged , , , , | Leave a comment

Top Reasons Organizations Struggle During Transition to Risk-based Information Security

Jill Hudson, Compliance Associate

Organizations across every industry have begun to experience and acknowledge the need for transition to a more risk-minded information security approach. It has become a challenge to the Chief Security Officer (CSO) to not only protect the organization’s assets, but also to be capable to identify risks to those assets and then mitigate those risks in a manageable way. “How is it possible for one person to accomplish all this?” you may ask.

Ultimately, the only thing that stands in the way of the CSO role transforming into a Chief Risk Officer (CRO) role is a feasible option for managing the process. For the CSO role to evolve in the right direction, the organization’s mindset on information security must first shift. We must stop thinking of only how to protect data and respond when a new threat or vulnerability is discovered. The transition into a risk-minded structure can only begin once we think outside of ourselves and our own personal knowledge-base.

Peter Tomaszewski, Vice President and Information Security Officer of Bank of Marin in Novato, California explains, “An automated risk assessment delivered via the web helps us ask questions we wouldn’t think of on our own. The benefit of using a cloud-based system is that it asks the questions I may have forgotten to ask and has the ability to leverage the subject matter expertise of those who have deep insight into the current guidance landscape.” According to an April 2013 KBW press release, Bank of Marin is one of forty banks selected in 2012 to the elite Keefe Bruyette & Woods Bank Honor Roll of superior performers.

Information Security I TraceSecurity

Education and resource management are essential to successfully adjust mindsets to a global risk management process and program.


Tomaszewski said that “educating and informing the Board and C-Level players on the need and purpose of a risk-minded structure has been one of the trickiest aspects of moving our organization in that direction.” Because regulations and industry standards exist in an ever-changing environment, it is crucial that organizations, and their executives, understand the need for a risk-based information security structure. So how can we educate decision makers on the need for and availability of IT GRC solutions that manage the risk assessment process?

Start by presenting them with the current structure of the company, along with its shortcomings and benefits. Understanding the current environment provides a foundation for why change is necessary in the first place. That education not only affects decisions on funding and information security goals, but it also becomes the catalyst for a company-wide shift toward a risk-based structure.

Resource Management

Time and resource management are also among the top issues when listing the causes of unease transitioning to a decidedly more risk-based structure. The enormity of the task is what initially shocks CSOs and C-Level decision makers into complacency with a current information security structure. While an organization may conduct an annual risk assessment, the ongoing, living process of managing risk is only now becoming a goal for most.

The trick to effective time and resource management is automation. Reducing the steps and repetitive tasks associated with creating and managing a global risk assessment is the most efficient way to accomplish this. IT GRC solutions are challenged with creating software that can eliminate unnecessary repetition not only in a stand-alone risk assessment, but throughout the life of the organization. It is also important to automate the integration of processes and information throughout the company into the global risk assessment.

So far, we have identified the impending changes to organizational information security structures, and laid the foundation for how to begin the necessary steps. Education and resource management are the first aspects to consider, but there is much more to be effective in changes that are made.

Posted in Information Security Program, Risk Management, Risk Management Programs, Uncategorized | Leave a comment

NIST 800 Series Risk Assessment Framework: Effective Methods and Processes – Part 3

Josh Stone, Director of Product Management

Risk-Assessment-300x300In our last two NIST blog posts (Part 1: Lost in the Details and Part 2: Establishing Your Baseline), we talked about some of the key points of the NIST framework for risk management and assessments. We have addressed a number of common pitfalls as well as tools that the framework provides for creating a more effective and robust risk assessment. However, the actual practice of conducting a risk assessment can be challenging in different ways depending on the structure of your particular organization. In this post I would like to revisit a few of the key points we have covered previously and go over some effective methods and processes for conducting your own risk assessment.

Getting started is perhaps one of the most daunting tasks in a risk assessment. The moment you sit down at your desk, stare at your computer, and say “ok now what?” Even for something as specific as an information security risk assessment, organizational buy-in is going to be a key concept. This can take a number of different forms but whatever method you chose, the challenge here is to grasp all the relevant risks and controls as they apply to an asset on top of deciding how to define the assets for which you will measure risk. As an employee in a single department your view of organizational assets, controls, and priorities may be limited or there could be significant risks of which you are unaware.

Finding a way to interact with other managers, employees, and departments is vital to collecting the data needed to properly understand those risks. Previously we reviewed how the NIST framework focuses on starting at the organizational level when beginning a risk assessment; similarly, understanding strategic direction and decision-making policies may shed light on relevant risks and controls that affect an entire institution. At the beginning of a risk assessment, meeting with upper management and key personnel from different departments can provide a lot of insight and is a great place to decide how you will define assets.

We have found that this step can be comprised of some preparation and meetings with appropriate management personnel to decide how the risk assessment should be performed, who will be involved, what assets should be evaluated, and how data collection will be performed. This is another great place to refer back to the NIST framework for guidance. NIST 800-30 lays out a number of key risk assessment principals that are useful to review in these beginning stages and provide points that you will want to address in these beginning strategic meetings. These key points include descriptions of key risk assessment concepts that can help develop a common language for conducting the assessment. A few examples would be addressing how to think aboutthreatsvulnerabilitieslikelihood, and impact.


Additionally, NIST lays out some considerations for choosing an analysis approach and some factors to account for when choosing an approach. A few examples of things to consider would be:

  • Quality and quantity of information available
  • The specific orientation carrying the highest priority for organizations
  • Availability of analysis tools emphasizing certain orientations

Collecting data is a challenge all on its own as well. Similar to the initial stages of the risk assessment, where organizational buy-in heavily impacts the overall quality of the assessment, the actual collection of data can be impacted by the ability to involve people from various roles and departments. Developing a set of questions that help highlight risks, threats, and controls across an organization is critical to gathering the needed information.

For instance, as an IT manager, it may be clear that there are significant risks concerning data backup procedures, but you may not be as knowledgeable about how Human Resources handles long term storage for paper documents or you may not even be aware that HR was required to keep certain documents. Without proper questionnaires and involvement, these key points could be missed. This type of information can be collected through interviews with personnel within a department.

Keep in mind that just as a selection of people from different departments can contribute to the quality of data within the risk assessment, so can querying different roles within those departments. In many organizations it is not practical to set time aside for interviews and conversations. When time is limited, developing a questionnaire that can be distributed by paper or electronically can aid greatly in speeding up the data collection process. Note also that these are just some examples of starting points. An effective assessment should consider as many available internal and external factors as allowed by time. Some items that might be considered when deciding what data to collect and from where are:

  • Recent changes in the IT environment
  • Disaster recovery testing reports
  • Employee access controls
  • Industry specific technology (hardware/software)
  • Incidents of fraud or security breaches

To learn how TraceSecurity helps you implement and manage a risk-based and ongoing information security program, visit us online at You can also connect with us on FacebookTwitter, and LinkedIn.

Posted in Information Security Program, IS Risk Assessment, Risk Assessment, Risk Management, Risk Management Programs | Leave a comment