Before the Security Scan Part 2
When you run vulnerability scans or pen tests, best practice is to first lay groundwork and “clean up your act,” data-wise. The scan can then be a report card as well as a road map. Previously, we addressed foundational issues: creating a Security Committee, identifying critical or sensitive information and identifying the risks. Now we discuss prioritizing risks and establishing mitigation plans, as well as adopting recommendations from a scan.
Risk Register

Once you have identified risks to critical or sensitive information, it’s time to develop an information risk register. Every organization’s risk register looks somewhat different, but at a minimum, we recommend:
- Title (a short-hand way to name the risk, such as Data Loss While Travelling)
- Source of Risk (such as Devices are stolen or lost)
- Location of At-Risk Data (such as
Laptops, tablets and smart phones)
- Owner (which senior manager is responsible for mitigating this risk, such as the CIO)
- Existing Mitigation (such as Devices are password protected)
The risk register also contains the risk assessment which is calculated on a 9 or 25 point scale. It uses three columns of the register:
- Frequency (how common is the risk on a 1-3 or 1-5 scale)
- Impact (how much harm would it cause on a 1-3 or 1-5 scale)
- Severity = Frequency x Impact on a 1- 9 or 1-25 scale
Finally, the register includes columns for tracking the progress of an action plan, if there is one. For example, loss of information through paper-only records could be mitigated through scanning the documents and filing them in an electronic records management system. The tracking columns of the risk register could include:
- Open Date (when the risk was acknowledged and the mitigation plan initiated)
- Close Date (if any)
- Mitigation Plan (such as Encryption of sensitive information)
- Status (regular updates to ensure progress)
Scanning
Vulnerability scanning vs. penetration (pen) testing—both are needed.
A vulnerability scan effectively runs through a checklist of known vulnerabilities (over 50,000) and reports how many of those problems exist on the system. Scans are run on a monthly (or more frequent) basis.
The scanner will rank vulnerabilities by level of risk. Sifting through reported vulnerabilities and making sure they are not false positives is part of the process. There are strategies to reduce the number of false positives.
Pen tests are real-time, manual tests by Ethical Hackers to test defenses and give more accurate and thorough results. Pen tests can range from a day to a week and can be expensive, depending on the extensiveness of the test. They can also affect operations by slowing processes, and interfering with staff productivity.
After the Scan
The recommended actions that affect critical and sensitive information are then logged onto your information risk register and tracked.
An important part of reducing your liability is demonstrating due diligence.
This article is reproduced from the September
This article was published in the
September 2020
edition of The TMC Advisor
- ISSN 2369-663X Volume:7 Issue:6
©2020 TMC Consulting