As i've stated recently I am
currently in a class called current trends in cyber security. The quarter
is over and each of us have worked through a process model. The point
here is to:
1. Describe a threat matrix for a
company.
2. Make recommendations on fixing
those threats.
3. Present that information to
management.
4. Make sure everyone understands
the concepts.
That all seems simple enough, but
let me give a brief run down of how it all works. After all what good is
cyber security if we can't take something perfectly simple and make it
complicated!
I started by thinking through
these issues.
1. Where does the analysis fit in the company goals?
2. What hardware and software assets are present?
3. What sources of information can be used to asses threats at H&M.
4. Create an ongoing information gathering process?
5. Gather Analyze and store threat information.
6. Document systems information.
7. Gather Existing H&M Policies
8. Evaluate currently existing threats, and make recommendations.
9. Evaluate impact of controls and reduce threat to acceptable levels.
10. Review and improve the system.
Next, I broke the threats present
into categories It was important to note that this was a high
level assessment. Since this process is ongoing the first time
you do it you should only show major issues.
Once this is completed I had to
put the issues into families. I chose people, policy, and technology
threats. This seemed logical since most issues can be carved up this way.
Lastly we come up with controls
and how to implement them.
This is a high level overview of
what I did for class. The lessons learned here will apply daily as I
consider threats and issues in the Cybersecurity space.