TMC's Advisor

The Advisor is published by TMC

Before the Security Scan

Many IT departments run vulnerability scans or pen tests, then fail to take action. After a major data breach an IT Director will be asked “Did you know about this risk?” Far too commonly, the answer is “Yes but we haven’t had time to deal with it—our scan report made so many recommendations!” Best practice is to focus security efforts on sensitive and critical data. So before you scan, decide what data needs protecting and where it can be found.

By Ellen Koskinen-Dodgson

Ellen Koskinen-Dodgson is President and Managing Partner of TMC IT and Telecom Consulting Inc. She is an IT and Telecommunications Management Consultant, electrical engineer, author, speaker, media resource and Expert Witness.

Buy-In

The first step is to gain corporate buy- in. After all, security is everyone’s business and IT can’t assess security risks alone. Part of building this buy-in requires IT to inform senior management about the risks associated with IT security. While so far the risk of fines is low in Canada, the risk of expensive data breaches are increasing and the landscape is constantly changing.

For example, CTV reports that in 2019, a Canadian company paid a 1.27 million dollar ransom, then lost over 10 days re- establishing operations. Further to this, the Verizon 2020 Data Breach Investigations Report identifies that 27% of malware attacks are now ransomware, and that ransomware risk is on the rise.

The goal of senior management buy-in is to establish and fund an organization- wide Security Committee that will determine what data needs to be protected and where that data can be found.

Assess Processes

Categorizing data as critical and/or sensitive may be based on regulatory and legal compliance, privacy (customers and employees), intellectual property protection or competitive performance.

The Security Committee requires input from operational groups, HR, and those responsible for privacy, regulatory and legal requirements.

A facilitator can help them map out all business processes and to categorize the processes or the associated data by priority level. With our clients, we produce a “Diagram of Everything” that we use as a starting point for understanding their processes and data flow.

The process can take a week or two of full time effort, or much more if spread over shorter sessions. The more the work is broken up over a longer period of time, the less effective and efficient the process becomes.

Identify Risks

Next, the committee needs to review processes to identify how that important data may be at risk. In addition to risks that can be addressed by IT security, examples include end- user caused problems or physical security such as:

Prioritizing risks and establishing mitigation plans, including adopting recommendations from a scan, will be discussed in the September 2020 issue.

This article is reproduced from the July 2020

This article was published in the July 2020 edition of The TMC Advisor
- ISSN 2369-663X Volume:7 Issue:5

©2020 TMC Consulting