You have done a risk assessment. That means you should have 1) an SRA report, 2) a risk management plan with prioritized corrective actions, 3) a disaster recovery plan, 4) an emergency response plan, 5) a breach notification plan, 6) current training and in use, 7) current policies and procedures. If you aren’t sure or said no to any of these, you may not know your level of security as well as you thought. Big names don’t always lead to big results in the world of cyber risk management.
Compliance is not the goal of an SRA
First of all, forget about being compliant, that is NOT the goal. The goal is to protect your clients’ personal data which in turn will protect your business from suffering a costly breach. How do you protect your clients’ data, you might ask? Start with a valid security risk assessment that actually checks that you are doing the correct things to protect the valuable data. Here are some tips to ensure you are getting a valid SRA.
- Answer every question honestly.
- Do not attempt to make yourself look better during the assessment process. Be real to get real results.
- Ask for verification from IT or your MSP about the following:
- Perform a computer operating system assessment. This will help you know whether your computers have been hardened and what to correct on each type of operating system.
- Proof that the backups can be restored.
- An inventory listing of every piece of equipment on the network.
- A data flow diagram of every place sensitive data exists; not just where it is known to exist, search and discovery everywhere it exists.
- Also note, penetration testing, network inventory, data inventory, network vulnerability testing should all be Standard Operating Procedures, not just part of your assessment.
- Take the results of the assessment and create an action item list in prioritized order of risk.
You don’t have to do it alone
If you don’t have the infrastructure or personnel to run this, CyberCompass can help. Our automated system, along with remote or onsite consulting help, will walk you through the assessments, scan your systems and generate a complete report of vulnerabilities. It also provides a prioritized actionable items list. With an easy to use dashboard, the reports at your fingertips and the knowledge of where to start, CyberCompass will have you on the road to Cyber Confidence.
