Once you have your executives on board (see the previous post) the next step is to define the scope of your program and define your inventory of assets.
Your scope will encompass the entire company at some level, but you may have one scope for internal resources, a scope for customer resources, another scope for third-party resources, and other scope projects as well. Scope may be defined in terms of technology or business, application or process, people or buildings. Your executive sponsor can help define the scope of each program, the cybersecurity professional must help the executive sponsor understand the depth and breadth of the scope requirements.
Inventories may be tracked in simple excel spreadsheets, maintained by accounting, or tracked in sophisticated asset-management software applications that include automated discovery and tracking mechanisms. Regardless if the starting inventory is simply hard assets (desk or desktop) or soft assets (operating systems or data), this inventory is a fundamental requirement for your cybersecurity program. Without it you don’t know what needs to be protected.
In your inventory, you need to include a careful accounting of all people, processes, technology and data. Use business processes to ease the tracking of assets. A lifecycle view of the beginning, middle and end of each asset class helps understand where and how data is collected, what it is stored on and backed up to, who has access to it and when.
For example: your human resources department holds a tremendous amount of data in the asset class—your people. The HR team is involved in the processes of recruiting, hiring, and on-boarding actions during employment, such as performance reviews, transfers of employees to different roles and responsibilities, and end of employment actions involved in terminations. Walking through process-based lifecycles is a method to acquire information of all data collected, what software or human method is used to collect the data and where the data is stored. Be prepared to ask more than HR for this information as they will most likely not know which disk their software and stat is stored on.
There are may process flows that need to be mapped through your systems. In basic interview styles with personnel in each department you may uncover hidden gems. Talk to your financial department for the possibility of credit cards being accepted, talk to sales about customers that potentially send data directly to them, talk to marketing about underlying pages that make up the website for the company. These processes are, or should be, documented in policy and procedure; don’t forget to include all in your inventory.
Learn more with the new brief, The Common Sense Approach to Cybersecurity.