A knowledgeable Information Technology (IT) department is the first defense against cyberattack. How is your system organized? What technologies are used and for what purposes? What are the specific vulnerabilities of said technologies? By knowing yourself, you can better anticipate your enemies and their approaches.
DJPaA will assess that you have:
Management is also vital to information security; DJPaA will verify that you've set a clear and concise security policy in line with business objectives through:
We will assess organizational aspects of your security program through a review of:
Who will take the reins in the event of a security breach? Your service provider should support your organization's technology needs without impeding your ability to control what's yours. DJPaA will evaluate whether your service provider arrangements are both allowing you to function efficiently and properly manage risk. We will evaluate the following areas:
Who is responsible for what? We will assess the controls surrounding the protection of your assets. We will review documentation regarding:
We all want to trust our colleagues and peers, but nothing can be taken for granted when sensitive or valuable data is involved. Personnel should be empowered and given the clearances they need to perform their duties properly, but that trust must also be earned through the necessary credentialing. Because insiders often know their way around an institution's system and process better than outsiders, it is imperative to know who your authorized users truly are through:
Where is your organization's information physically stored? Is it well-protected or accessible by anyone? We will assess your organization's ability to maintain the confidentiality, integrity, and availability of information, and evaluate the assurances provided by physical access controls. We will review:
Are your organization's internal communications a closed circuit? We will assess the controls surrounding:
The administration should be able to make the calls as to who can and cannot access system resources. A logical and administrative access controls evaluation will review the following:
Get the good into your system, keep out the bad. Before developing, acquiring, or implementing new software, it is important to address potential vulnerabilities. This can be done by ensuring the following items are in order:
Security systems can be and should be tightened up to the fullest extent possible. However, no security system is completely failproof. When a breach does occur, your organization must be prepared to detect and react to the intrusion. Do you have an effective response program in place? The answer relies on your:
Turnover is a part of any organization, but names and faces changing can't be allowed to undermine the sanctity of its assets. A quality business continuity plan ensures there are no gaps in security when responsibilities change hands. Review of this plan is an integral part of the security process.
The rules and regulations defined by law can be a lot to sort through, but neglecting to do so could have serious repercussions. Have DJPaA do the sorting for you, verifying all the controls are in place to protect against breach of the law, regulatory and contract obligations, or security requirements. Controls we will review include: