I’ve talked a lot in the past about targeting your spend to ensure that you’re money goes on protecting what is really important to you, ensuring that the protections you have spent money on are in the right place, configured to protect what really needs protecting, are maintained correctly and are of course, effective.  So how do you do that?  Do you just take a good guess at what is needed?  Of course not, but it’s still a valid question.  Did whoever built your network install a firewall, did they set up an effective anti malware regime ie one that is constantly updated using a process whereby users can’t stop it if it becomes inconvenient? That happens, believe me.  Is all of this necessary?  Almost certainly.

A lot of these questions can be relatively easily answered.  To start with you need to:

• Determine the Data Assets (computers, mobiles, filing cabinets, whiteboards, servers, people etc – ie everywhere that data is held – hard or virtual copy or in someone’s head).
• Run through each Data Asset (or group of them) against the Controls and Procedures in accordance with your security policies (if you haven’t got security policies then that’s a whole other discussion), to determine which should apply and how they are currently being applied. It’s very useful to use a standard such as ISO27001 for this, even if you have no intention of applying for certification.

But now the difficult part, assessing the risks and what controls would be adequate to remediate those risks, thus ensuring you are placing the right controls, be they procedural or technical, in the right places and not wasting time, money and effort, putting in controls that aren’t actually needed, or are in the wrong place.

If you have a system to help you with this, then that really is the way to go.  Here at H2 we have partnered with Secure Business Data to enable us to use, and where appropriate, to sell 27K1 ISMS.  A risk assessment tool that is specifically targeted at SMEs and is therefore very competitively priced. It can come with an annual or a monthly fee, however you prefer.  We have adopted this system for use with our Risk Assessment Service which is carried out in three phases:

• Phase 1 – H2 conducts an assessment reviewing your existing information security, data protection protocols, technical security controls, and processes and procedures to determine their effectiveness and appropriateness, using 24K1 ISMS.

• Phase 2 – Working to your timescale and budget, H2 implements the findings from the risk assessment process which has used 24K1 ISMS. This could include introducing simple changes to your processes, all the way through to implementing technical solutions that provide effective protection from threats.

• Phase 3 – Education, ongoing security management, review and maintenance.