- Why Evaluate Your Program
- Part of annual policy review
- If you don’t evaluate you will never improve
- Continual review will help protect your budget
- Start At The Outside and Move Your Way In
- Awareness and Education is how most people in your org know the program
- Threat Mapping maps the outside threats to your inside controls & tech
- Communications is that final turn from the inside out
- What is “Threat Mapping”?
- How is this different from threat modeling?
- Threat modeling is listing what could happen to you.
- Threat mapping is mapping the holes in your program.
- How To Get Started
- Must have a assessment management program
- You can’t protect what you don’t know about
- This isn’t “I have a CMDB”. It’s actually taking actions based on what you know about what you have
- Understand what your “real” threats are
- Map assets to known threats
- What are you doing to know this?
- industry
- entry points
- technology
- Online threat maps
- What controls do you currently have in place to mitigate or reduce the risk?
- Scope and prioritize - break down into areas to tackle
- Apps
- Infrastructure
- 3rd parties
- etc
- How To Measure
- Scorecard (KRI)
- What is important and helpful
- Risk Registry
- How To Improve/Modify
- Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
- Once you have some areas mapped don’t ignore them
- Implement solid change control and change management processes
- Keep risk scores updated so you aren’t focusing on unimportant things