4. • STAKEHOLDERS
• Internal
• External
• RISK ASSESSMENT
Assets Probability
(P)
Impact
(I)
Inherent
Risk = P x I
Compensating
Controls
Residual
Risk
Software Medium High High • Patch Management
• White Listing
Medium
Databases Medium High High • Encryption Medium
Hardware Low Medium Medium • Blocking External
Devices
Low
Network Medium Medium Medium • Monitoring Low
Human
Factor
Medium High High • Training & Awareness
• Reporting Structure
• Anti-Retaliation Policy
• Open-Door Policy
Medium
Access
Control
Medium High High • Least User Privileges Medium
6. • Background Checks/Ongoing Employee Screening
• Cyber Vetting
• Monitoring user activity
• Unauthorized use of personal devices
• Security Information and Event Management
• Policies on Confidential Reporting
• Anti-retaliation Policy
• Open-door Policy
7. Plan and Protect
• Create an Incident
Response Team
Containing the Incident
• Isolate affected files or
networks
• Backup files on servers and
hard drives
• Remove access upon
termination
Communication to Stakeholders
• Internal Stakeholders
• Business Operations
• Oversight
• Board of Directors
• External Stakeholders
• Law Enforcement
• Regulatory Agencies
8. Technical Aspect:
• Encryption
• New Intrusion Prevention Systems
• Anti-malware tools
Third Party Involvement:
• Legal and Insurance Assessments
• Notifications of Incidents to:
• S&E, FTC, FBI
Behavioral:
• Revamped Employee Training
Modules
Press Involvement:
• Press Statements
• Maintains the integrity of the
company
Looking Towards The Future!