Sunday
Oct042009
Ten Questions InfoSec Professionals Should be able to Answer
Sunday, October 4, 2009 at 05:59PM I'm going to be on the Compliance is Not the Same as Security! panel at CornerStones of Trust. In preparation for the panel, we had a conference call where we discussed the topics we would cover. Following that, we wanted to come up with some takeaways for the attendees, including a list of ten questions that an InfoSec professional should be able to answer about their employer. While the panel will come up with this list collaboratively, I wanted to share my submission and get the input of others. Here are my questions, I took a data-centric approach to designing them--feel free to share your own:
1. What sensistive data does my organization collect/maintain/generate?
2. How does that information enter the organization?
3. Where is it stored (this may be a large number of places for a big organization) and how is it transmitted?
4. Who has permission to access this information?
5. What controls are in place to protect this information?
6. How does the data leave the organization?
7. How is the data protected when it is out of the organization's direct control?
8. What detective measures are in place to detect dataloss?
9. What processes are in place to respond to an event?
10. What preventative measures are in place to address the risk to the data?
Reader Comments