IS Policies & Risk Assessment

D'Agger

Hi all,

I'm assuming this is the correct place for my query - if not then mods feel free to move!

I'm currently being tasked with creating an IS policy for my company and as part of this I need to create a Risk Assessment guide.

The IS policy & Acceptable usage policy were fine and I really enjoyed researching and creating them but what I'm finding with the risk assessment is that everything seems to be overkill, i.e. I was looking at NIST which seems to have multiple different documents for risk as opposed to one central document which is what I'm trying to create. I also think NIST has far too much detail for what I'm looking at.

Either way, this is my first time looking into this subject so I'm wondering if anybody has experiences they could share on how best to setup/implement this or has any links/references that may prove useful.

Also looking into this side of IT has me thinking that getting the Comptia Security + might not be a bad idea - if anybody has any other recommendations then I'd appreciate it.

Keyzer

Can you provide some more information?

For the company I work for, we conduct individual risk assessments on the company as a whole, the individual departments in the company and then for critical infrastructure i.e. the telephony system.

They need to be extremely detailed. In conjunction with the risk assessments, we also carry out business impact analysis for the same.

D'Agger

Keyzer wrote: »

Can you provide some more information?

For the company I work for, we conduct individual risk assessments on the company as a whole, the individual departments in the company and then for critical infrastructure i.e. the telephony system.

They need to be extremely detailed. In conjunction with the risk assessments, we also carry out business impact analysis for the same.

I've created a template & guide for the company that could be applied to multiple departments based on research over the past few days and some existing documentation I came across.

I think a generic template like this that can be applied across the board is for the best as opposed to attempting going from having nothing in place to something far too detailed.

The infrastructure needs to be assessed using the template I've created but in general I get the distinct feeling that the company I'm working for has zero interest in actually applying any of the documentation I'm creating - they just want to get certified to land a client so are happy to bullshít and not implement what's required - it's been a frustrating week.

Keyzer

D'Agger wrote: »

I get the distinct feeling that the company I'm working for has zero interest in actually applying any of the documentation I'm creating - they just want to get certified to land a client so are happy to bullshít and not implement what's required - it's been a frustrating week.

Welcome to the world of information security !!!

In my opinion, most companies and senior level managers don't give a toss about info sec until one of two things happen:

1. They fall victim to an attack/data breach.
2. They are going to be audited/need to attain specific compliance.

On point two, I've seen senior level managers literally go from yawn fest to this is number one priority when the word audit is mentioned.

Shame really but the general stupidity witnessed on a daily basis is what keeps information security professionals in jobs, something which I don't see ever changing.

D'Agger

Keyzer wrote: »

Welcome to the world of information security !!!

In my opinion, most companies and senior level managers don't give a toss about info sec until one of two things happen:

1. They fall victim to an attack/data breach.
2. They are going to be audited/need to attain specific compliance.

On point two, I've seen senior level managers literally go from yawn fest to this is number one priority when the word audit is mentioned.

Shame really but the general stupidity witnessed on a daily basis is what keeps information security professionals in jobs, something which I don't see ever changing.

Well I came across a company template that is quite decent but needs to be improved on so I'm still researching.

On the off chance somebody comes across this thread later then I may aswell add that this video has been fairly helpful

https://www.youtube.com/watch?v=EWdfovZIg2g

With regard to the policy only being relevant when looking to satisfy a client or an audit - what makes it annoying is that this seems to be for everything and anything - not just the risk assessment, there's a distinct lack of internal procedures & any that are there - aren't followed correctly which is very frustrating - particularly when it comes to stuff like leavers & joiners

Also Keyzer - any advice on certs etc. with IS - I'm mainly a sysadmin but I've enjoyed doing the IS stuff so wouldn't mind getting something to say I'm capable when it comes to creating policies etc.

Keyzer

Man, there are a ton of different certs you can do but, for me, experience is a key component when looking at candidates.

That said, if you go by job postings out there at present, the following are hot:

General
1. CISSP
2. CISM
3. CISA

Network Security
1. CCNA
2. CCSP

Pen Testing
1. CEH
2. GIAC GPEN

The GIAC certs are excellent but I don't see many of them listed in job postings. That said, any decent hiring manager in the field information security field should know these.

All depends on what area of information security you are interested in getting into career wise.

D'Agger

CCNA is on the to-do list but was thinking of doing the CompTIA Security + before looking for that and after that I should have an idea as per whether to go for CCSP or not

At the moment I don't really have a need for the CCNA but I'd like to get it, did a prep course but wasn't ready to go on and do the exam - not even close! Now I'm in a better position so hoping to study for it soon

Blowfish

Just related to this, Coursera have a few free courses (this, this and this) coming up at the end of August. I haven't taken them previously myself, but they may be worth checking out for someone starting in the RM/policy end of InfoSec.

D'Agger

Blowfish wrote: »

Just related to this, Coursera have a few free courses (this, this and this) coming up at the end of August. I haven't taken them previously myself, but they may be worth checking out for someone starting in the RM/policy end of InfoSec.

Thanks for the links Blowfish - had only recently signed up to Coursera and have one or two on my watchlist.

Have you undertaken any courses from the site? If so then how did you find them re: intensity & workload etc?

Blowfish

D'Agger wrote: »

Have you undertaken any courses from the site? If so then how did you find them re: intensity & workload etc?

I started the Crypto one, but never got to finish it, so I'm doing it again. They are designed fairly well in that it's up to you how much you want to put into it. If you do all the assignments and the exam for the 'Statement of Accomplishment', it'll take 5-10 hours a week.

There's absolutely no commitment on your part to complete it though and the courses repeat regularly, so if you want you can just download the videos & assignments and toddle along at your own pace, then you could probably even submit the assignments in a later running of the course if you want them assessed.

D'Agger

Blowfish wrote: »

I started the Crypto one, but never got to finish it, so I'm doing it again. They are designed fairly well in that it's up to you how much you want to put into it. If you do all the assignments and the exam for the 'Statement of Accomplishment', it'll take 5-10 hours a week.

There's absolutely no commitment on your part to complete it though and the courses repeat regularly, so if you want you can just download the videos & assignments and toddle along at your own pace, then you could probably even submit the assignments in a later running of the course if you want them assessed.

Lovely, sounds good

Would you fire them on the CV or maybe just mention them in interviews with regard to experience?

Blowfish

D'Agger wrote: »

Lovely, sounds good

Would you fire them on the CV or maybe just mention them in interviews with regard to experience?

I'm doing the Crypto one more because I find it interesting than for practical experience, so don't think I'd have it on the CV, but if Crypto came up in an interview, I might mention in passing all right.

Keyzer

I would put these on a CV if you have fully completed the course and were awarded something...

You can explain what they are in an interview setting.

This, for me, would demonstrate the candidate is interested in the field, motivated and resourceful (enough to go an find mini courses on this stuff).

It would be positive from my perspective to see these but make you explain what they are.

fcerullo

I heard the crypto one is superb quality.

Regarding certs, the ones currently looked after in CVs by companies and which I would recommend are:

CISSP, CISM: risk management, security specialist roles

CISA: security audits

CCNA: network security

GIAC (highly technical): pentesting, etc.