At Datotel we routinely conduct risk assessments on our own operations, as well as assisting our clients to complete risk assessments on their environments.
Our objectives are generally to identify the risks in the environment; whether that be risks related to confidentiality, security, privacy, reliability or availability. From these identified risks, plans are then developed to address and mitigate those identified risks.
Whether you’re a financial institution, healthcare agency or a firm with no mandated regulations you should ensure you at least have some of the basic risks identified and covered.
The most basic risk we see is also one that is easy to implement and correct – it’s the lack of clear policies and procedures. Here a few starting points for developing your own policies.
Develop policies as they relate to your end users and what they can and cannot do in the environment. For example, is it permissible for employees to connect their own laptops, iPads and other devices to your corporate network? If so, what are the expectations of privacy and the levels of security you want to have in place.
What happens when an employee joins your company? Are there the necessary check lists and processes in place to ensure the user has access to only the systems and data they need? What about when they leave? Are all of their credentials revoked and done so in a timely basis? Is that tracked anywhere?
Another item that we often see is that there are numerous generic user accounts (administrative or otherwise) on the systems and often with passwords that haven’t been changed in a long while. This a big security concern and poses a challenge should you ever need to track exactly who did what and when. User specific credentials with passwords that meet a defined password policy is the way to go here.
Lastly, ensuring that there is a good patch management process in place to make sure that necessary security updates are being applied to your environment on a regular basis is good practice.
No doubt there are many other processes and procedures you should have in place to help mitigate risk; many of which don’t cost much to put in place other than some of your time. More often than not, the small amount of time required to put these in place is a substantial investment in risk reduction and well worth it.