The preparation of a complete and detailed information security inventory can be daunting. To help guide you through the process, the following are some of the questions that should be addressed. How you address them is up to you. The information can be collected through meetings with management, questionnaires distributed to the department heads, informal conversations, or your own experience. It is unlikely that the critical employees in your business will be willing to devote long hours to answering your questions, so be prepared to be creative in how you acquire the data.
- Org Charts – Obtain the detailed organization charts for the business. Use the chart to create the initial list of core processes and identify the responsible business managers for these processes.
- Business Profile – Determine the environment in which the business operates, its competitors, the high level business risks confronting the industry, future challenges, etc. If the business is a unit within a larger organization, determine how the unit fits within the overall risk profile of the enterprise.
- Risk Profile – What is senior management’s current perception of the operational risks to the business and concerns about how future developments may impact those risks? What is management’s appetite for risk (conservative or aggressive)? Has management identified any specific risks or control deficiencies that must be addressed? What is the history or types of operational risks in this industry? Specific to Information Security:
- What is management’s overall willingness to accept IS risk?
- How critical is information security to the overall success of the business and the protection of customer and shareholder interests?
- Does management approach information security risk in the same manner as other business risks (credit, market, liquidity, etc.)?
- What is management’s understanding of how information security risk fits into the overall operational risk management process and the new Operational Risk Policy?
- Does the business have a process to determine if any of its systems, applications, or processes may be exposing the enterprise to a risk?
- Organization Inventory /Key Contacts – Identify the individuals responsible for such functions as information security, business continuity planning, legal and regulatory compliance, financial management, operations management, and technology support (engineering, application development, system administration, database administration, hardware support, etc.) Determine whether there is a clear understanding of management accountability for the applicable risks.
- Reporting – During the assessment there will be a need for management input. Identify the managers delegated to support the assessment and review/approve its results.
- Core Processes – Based on the discussion with management above categorize and prioritize the significant processes within the business. Make sure you include any significant manual processes (do not let the lack of reliance on technology automatically lead to the assumption the process is not important).
- Policies, Standards and Procedures - Identify the significant policies, standards and procedures utilized in the business. This includes not only the high level policies, but the daily practices and procedures used by the business to process information. How do these documents apply to the protection of information?
- Laws & Regulations – In which countries, states and other jurisdictions does the business operate. How do the laws and regulations of these jurisdictions impact the business?
- Training – What training is in place that covers operational risk?
- Technology and Other infrastructure
- Applications – Prepare a list of the significant applications used by the business. This should include software developed by the corporation or a third party, desktop software, or shared with other businesses such as on the Internet. Place special emphasis on inventorying any applications or data that is accessible on the Internet. Identify the owners of these applications.
- Hardware – Is there a detailed and current inventory of the major hardware devices used to support the core processes?
- Administration – What organizations, processes and procedures are in place to support such functions as development, engineering, quality assurance, change management, database administration, user access and entitlements, system administration, security and system monitoring, etc.
- Identify the various classes of information created and processed by the core processes.
- Identify who owns each class of information
- Classify the information
©2009 ISRMC, LLC