http://www.mattroedell.com


Network Infrastructure & Information Security Expertise

The 15 Question 15 Minute Risk Analysis

  1. Do you filter employee internet access?  
  2. Do you filter inbound/outbound email attachments or content?
  3. Do you have a control preventing employees from emailing sensitive information to their home email accounts?
  4. Do you limit usage of USB, CD/DVD burners and all other removable media to authorized users only?
  5. Do you have a control to prevent connection of unathorized devices to your network?
  6. Do you require 2 factor authentication for remote access?
  7. Can you produce documentation in the next 15 minutes that lists every server in your environment including test and development?
  8. Can you produce documentation in the next 15 minutes that proves every server and PC in your environment is patched?
  9. Can you produce documentation in the next 15 minutes that proves every server and PC in your environment is running up to date anti-virus?
  10. Can you produce a diagram in the next 15 minutes that shows every internet facing device in your environment?
  11. Can you produce individual diagrams in the next 15 minutes that detail every business critical application in your environment?
  12. Can you produce a penetration testing report in the next 15 minutes that lists all internal and external vulnerabilities and was performed in the last 30 days?
  13. Can you produce documentation in the next 15 minutes that shows all details on the past 5 changes to production systems including meeting minutes with IT and business process owners?
  14. Can you produce documentation in the next 15 minutes detailing a single violation of any security policy or control violation in the past 30 days?
  15. If you lost power to your main building right now and the outage duration lasted 3 days, would you be able to resume critical business operations with core staffing at a remote location with access to all critical systems within 2 hours of the initial power loss?

If you answered "No" to any questions above or were unable to produce the requested documentation, your program does not have a solid foundation and you are at a high risk level for data loss and loss of business operations.  If you are able to produce the information...but not in 15 minutes...your incident reponse is either non-existent or not well defined.

If you are in charge of an information security program, it is your responsibility to make sure the information above is readily available at your finger tips. 

If you answered "yes" to all questions above and were able to produce the documentation, you are performing some critical minimum requirements well...which is a strong indicator that the rest of your program is on track.

If you are a board member or CEO, print out this page and hand it to the person responsible for your information security program and see how long it takes them to gather the information. 

 

 -Matt Roedell

www.mattroedell.com