Team LiB   Previous Section   Next Section

B.1 Knowledge Elicitation Worksheets

Processes 1 to 3 elicit knowledge from senior managers, operational area managers, general staff members, and information technology staff members. Participants in processes 1 to 3 provide their perspectives on assets that are important to the success of the organization, the way in which important assets are threatened, and security requirements for important assets.

The worksheets used when you elicit the above information are identical for all participants; we provide only one set. During the last activity of processes 1 to 3, you elicit information about security practices currently used by the organization and the organizational vulnerabilities that are present in the organization. There is a different survey for each organizational level, and all of the surveys are included in this appendix. The final worksheet in processes 1 to 3 is for a follow-up discussion after participants complete their surveys and is the same for all participants. The following worksheets are provided in this section of Appendix B:

  • Asset Worksheet

  • Areas of Concern Worksheet

  • Security Requirements Worksheet

  • Practice Surveys

    - Senior management survey

    - Operational area management survey

    - General staff survey

    - IT staff survey

  • Protection Strategy Worksheet

You normally use these worksheets (except for the surveys) to prompt the participants and stimulate a discussion among them. However, you could ask them to complete the worksheets in advance and be prepared to discuss their answers. The workshop's scribe records the official results of each workshop. The scribe can record data on flip charts, copies of these worksheets, or in some other, more abbreviated, electronic form.

B.1.1 Asset Worksheet

Instructions
Processes 1 to 3 Activity: Identify Assets and Relative Priorities (Section 5.2)
Purpose To identify assets that are important to participants (senior managers, operational area managers, general staff, or information technology staff)
Instructions
  1. Participants brainstorm a list of assets and then select those assets considered to be most important. Use the following questions to guide your discussions:

    • What are your important assets?

    • Are there any other assets that you are required to protect (e.g., by law or regulation)?

    • What related assets are important?

    • From the assets that you have identified, which are the most important? What is your rationale for selecting these assets as important?

  1. Hand out the Asset Worksheet to participants and discuss each question. Use the questions as prompts to guide the discussion.

  1. Record all assets identified during the workshop and note which ones were identified as most important by the participants.

Asset Worksheet
  1. What are your important assets?

    Consider the following:

    • Information

    • Systems

    • Software

    • Hardware

    • People

  1. Are there any other assets that you are required to protect (e.g., by law or regulation)?

  1. What related assets are important?

    Consider the following:

    • Information

    • Systems

    • Software

    • Hardware

    • People

  1. From the assets that you have identified, which are the most important? What is your rationale for selecting these assets as important?

B.1.2 Areas of Concern Worksheet

Instructions
Process 1 to 3 Activity: Identify Areas of Concern (Section 5.3)
Purpose To identify areas of concern for each important asset previously identified by the participants
Instructions
  1. Participants brainstorm scenarios that could threaten their most important assets. Use the following question to guide your discussions: What scenarios threaten your important assets?

  1. Hand out the Areas of Concern Worksheet to participants and ask them to use the sources and outcomes as prompts when considering scenarios that threaten important assets.

  1. Record all areas of concern identified during the workshop.

graphics/28897 unf-a.gif

B.1.3 Security Requirements Worksheet

Instructions
Processes 1 to 3 Activity: Identify Security Requirements for Most Important Assets (Section 5.4)
Purpose To identify security requirements for each important asset previously identified by the participants
Instructions
  1. Participants brainstorm a list of security requirements for their important assets and then select which requirement is considered most important for each asset. Use the following questions to guide your discussions:

    • What are the important security requirements for each information asset?

    • What is the relative ranking of the security requirements for each information asset? Which security requirement is the most important?

  1. Hand out the Security Requirements Worksheet to participants and discuss each question. Use the questions as prompts to guide the discussion.

 
  1. Record security requirements identified for each important asset and note which requirement was identified as most important for each asset.

Security Requirements Worksheet
  1. What are the important security requirements for each information asset?

    Consider the following:

    • Confidentiality

    • Integrity

    • Availability

    • Other

  1. What is the relative ranking of the security requirements for each information asset? Which security requirement is the most important?

B.1.4 Practice Surveys

Instructions
Processes 1 to 3 Activity: Capture Knowledge of Current Protection Strategy Practices and Organizational Vulnerabilities (Section 5.5)
Purpose To gather survey information about security practices currently used by the organization
Instructions
  1. Hand out surveys and ask participants to complete them. Note that there are four types of surveys, each one tailored for a particular group of personnel:

    • Senior Management Survey

    • Operational Area Management Survey

    • General Staff Survey

    • Information Technology Staff Survey

  1. Have participants answer each question to the best of their knowledge in terms of how the practice is used in their organization by giving the following instructions:

    • If the practice is always or nearly always used, circle "Yes."

    • If the practice is not used or not used very much, circle "No."

    • If you're not sure or don't really know, circle "Don't Know."

  1. After participants complete their surveys, hold a follow-up discussion about current security practices and organization vulnerabilities. See Section B.1.5 of this appendix for more information about that discussion.

B.1.4.1 Senior Management Survey

Name (optional): _________________________________________________

Position: ________________________________________________________

Senior Management Survey
Practice Is this practice used by your organization?
Security Awareness and Training
Staff members understand their security roles and responsibilities.This is documented and verified. Yes No Don't know
There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Yes No Don't know
Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Yes No Don't know
Security Strategy
The organization's business strategies routinely incorporate security considerations. Yes No Don't know
Security strategies and policies take into consideration the organization's business strategies and goals. Yes No Don't know
Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. Yes No Don't know
Security Management
Management allocates sufficient funds and resources to information security activities. Yes No Don't know
Security roles and responsibilities are defined for all staff in the organization. Yes No Don't know
The organization's hiring and termination practices for staff take information security issues into account. Yes No Don't know
The organization manages information security risks by assessing existing risks to information security and taking steps to mitigate information security risks. Yes No Don't know
Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments). Yes No Don't know
Security Policies and Regulations
The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. Yes No Don't know

There is a documented process for management of security policies:

  1. Creation

  2. Administration (including periodic reviews and updates)

  3. Communication

Yes No Don't know
The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements. Yes No Don't know
The organization uniformly enforces its security policies. Yes No Don't know
Collaborative Security Management

The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners):

  1. Protecting information belonging to other organizations

  2. Understanding the security policies and procedures of external organizations

  3. Ending access to information by terminated external personnel

Yes No Don't know
The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements. Yes No Don't know
Contingency Planning/Disaster Recovery
An analysis of operations, applications, and data criticality has been performed. Yes No Don't know
The organization has documented, reviewed, and tested business continuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies. Yes No Don't know
The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls. Yes No Don't know
All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities. Yes No Don't know
Physical Security Plans and Procedures
Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested. Yes No Don't know
There are documented policies and procedures for managing visitors. Yes No Don't know
There are documented policies and procedures for physical control of hardware and software. Yes No Don't know
Physical Access Control
There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media. Yes No Don't know
Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. Yes No Don't know
System and Network Management
There are documented and tested security plan(s) for safeguarding the systems and networks. Yes No Don't know
There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. Yes No Don't know
Authentication and Authorization
There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups. Yes No Don't know
Incident Management
Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. Yes No Don't know
Incident management procedures are periodically tested, verified, and updated. Yes No Don't know
There are documented policies and procedures for working with law enforcement agencies. Yes No Don't know
General Staff Practices

Staff members follow good security practice, for example:

  • Securing information for which they are responsible

  • Not divulging sensitive information to others (resistance to social engineering)

  • Ensuring they have adequate ability to use information technology hardware and software

  • Using good password practices

  • Understanding and following security policies and regulations

  • Recognizing and reporting incidents

Yes No Don't know
All staff at all levels of responsibility implement their assigned roles and responsibility for information security. Yes No Don't know
There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. Yes No Don't know

B.1.4.2 Operational Area Management Survey

Name (optional): _________________________________________________

Position: ________________________________________________________

Operational Area Management Survey
Practice Is this practice used by your organization?
Security Awareness and Training
Staff members understand their security roles and responsibilities. This is documented and verified. Yes No Don't know
There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Yes No Don't know
Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Yes No Don't know
Security Strategy
The organization's business strategies routinely incorporate security considerations. Yes No Don't know
Security strategies and policies take into consideration the organization's business strategies and goals. Yes No Don't know
Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. Yes No Don't know
Security Management
Management allocates sufficient funds and resources to information security activities. Yes No Don't know
Security roles and responsibilities are defined for all staff in the organization. Yes No Don't know
The organization's hiring and termination practices for staff take information security issues into account. Yes No Don't know
The organization manages information security risks by assessing risks to information security and taking steps to mitigate information security risks. Yes No Don't know
Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments). Yes No Don't know
Security Policies and Regulations
The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. Yes No Don't know

There is a documented process for management of security policies:

  1. Creation

  2. Administration (including periodic reviews and updates)

  3. Communication

Yes No Don't know
The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements. Yes No Don't know
The organization uniformly enforces its security policies. Yes No Don't know
Collaborative Security Management

The organization has policies and procedures for protectinginformation when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners):

  1. Protecting information belonging to other organizations

  2. Understanding the security policies and procedures of external organizations

  3. Ending access to information by terminated external personnel

Yes No Don't know
The organization has verified that outsourced security services,mechanisms, and technologies meet its needs and requirements. Yes No Don't know
Contingency Planning/Disaster Recovery
An analysis of operations, applications, and data criticality has been performed. Yes No Don't know
The organization has documented, reviewed, and tested businesscontinuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies. Yes No Don't know
The contingency, disaster recovery, and business continuity plansconsider physical and electronic access requirements and controls. Yes No Don't know
All staff are aware of the contingency, disaster recovery,and business continuity plans and understand and are able to carry out their responsibilities. Yes No Don't know
Physical Security Plans and Procedures
Facility security plans and procedures for safeguarding theDon't know premises, buildings, and any restricted areas are documented and tested. Yes No Don't know
There are documented policies and procedures for managing visitors. Yes No Don't know
There are documented policies and procedures for physical control of hardware and software. Yes No Don't know
Physical Access Control
There are documented policies and procedures for controllingphysical access to work areas and hardware (computers, communication devices, etc.) and software media. Yes No Don't know
Workstations and other components that allow access to sensitiveinformation are physically safeguarded to prevent unauthorized access. Yes No Don't know
Monitoring and Auditing Physical Security
Audit and monitoring records are routinely examined for anomalies, and corrective action is taken as needed. Yes No Don't know
System and Network Management
There are documented and tested security plan(s) for safeguarding the systems and networks. Yes No Don't know
There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. Yes No Don't know
Authentication and Authorization
There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups. Yes No Don't know
Incident Management
Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. Yes No Don't know
Incident management procedures are periodically tested,verified, and updated. Yes No Don't know
There are documented policies and procedures for working with law enforcement agencies. Yes No Don't know
General Staff Practices

Staff members follow good security practice, for example:

  • Securing information for which they are responsible

  • Not divulging sensitive information to others (resistance to social engineering)

  • Ensuring they have adequate ability to use information technology hardware and software

  • Using good password practices

  • Understanding and following security policies and regulations

  • Recognizing and reporting incidents

Yes No Don't know
All staff at all levels of responsibility implement their assigned roles and responsibility for information security. Yes No Don't know
There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. Yes No Don't know

B.1.4.3 General Staff Survey

Name (optional): _________________________________________________

Position: ________________________________________________________

Staff Survey
Practice Is this practice used byyour organization?
Security Awareness and Training
Staff members understand their security roles and responsibilities. This is documented and verified. Yes No Don't know
There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Yes No Don't know
Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Yes No Don't know
Security Management
Management allocates sufficient funds and resources to information security activities. Yes No Don't know
Security roles and responsibilities are defined for all staff in the organization. Yes No Don't know
The organization's hiring and termination practices for staff take information security issues into account. Yes No Don't know
The organization manages information security risks by assessing risks to information security and taking steps to mitigate information security risks. Yes No Don't know
Security Policies and Regulations
The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. Yes No Don't know

There is a documented process for management of security policies:

  1. Creation

  2. Administration (including periodic reviews and updates)

  3. Communication

Yes No Don't know
The organization uniformly enforces its security policies. Yes No Don't know
Collaborative Security Management

The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners);

  1. Protecting information belonging to other organizations

  2. Understanding the security policies and procedures of external organizations

  3. Ending access to information by terminated external personnel

Yes No Don't know
Contingency Planning/Disaster Recovery
All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities. Yes No Don't know
Physical Security Plans and Procedures
Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested. Yes No Don't know
There are documented policies and procedures for managing visitors. Yes No Don't know
There are documented policies and procedures for physical control of hardware and software. Yes No Don't know
Physical Access Control
There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media. Yes No Don't know
Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. Yes No Don't know
System and Network Management
There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. Yes No Don't know
Incident Management
Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. Yes No Don't know
Incident management procedures are periodically tested, verified, and updated. Yes No Don't know
There are documented policies and procedures for working with law enforcement agencies. Yes No Don't know
General Staff Practices

Staff members follow good security practice, for example:

  • Securing information for which they are responsible

  • Not divulging sensitive information to others (resistance to social engineering)

  • Ensuring they have adequate ability to use information technology hardware and software

  • Using good password practices

  • Understanding and following security policies and regulations

  • Recognizing and reporting incidents

Yes No Don't know
All staff at all levels of responsibility implement their assigned roles and responsibility for information security. Yes No Don't know
There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. Yes No Don't know

B.1.4.4 IT Staff Survey

Name (optional): _________________________________________________

Position: ________________________________________________________

IT Staff Survey
Practice Is this practice used by your organization?
Security Awareness and Training
Staff members understand their security roles and responsibilities. This is documented and verified. Yes No Don't know
There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Yes No Don't know
Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Yes No Don't know
Security Strategy
The organization's business strategies routinely incorporate security considerations. Yes No Don't know
Security strategies and policies take into consideration the organization's business strategies and goals. Yes No Don't know
Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization. Yes No Don't know
Security Management
Management allocates sufficient funds and resources to information security activities. Yes No Don't know
Security roles and responsibilities are defined for all staff in the organization. Yes No Don't know
The organization's hiring and termination practices for staff take information security issues into account. Yes No Don't know
The organization manages information security risks by assessing risks to information security and taking steps to mitigate information security risks. Yes No Don't know
Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments). Yes No Don't know
Security Policies and Regulations
The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. Yes No Don't know

There is a documented process for management of security policies:

  1. Creation

  2. Administration (including periodic reviews and updates)

  3. Communication

Yes No Don't know
The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements. Yes No Don't know
The organization uniformly enforces its security policies. Yes No Don't know
Collaborative Security Management

The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners):

  1. Protecting information belonging to other organizations

  2. Understanding the security polices and procedures of external organizations

  3. Ending access to information by terminated external personnel

Yes No Don't know
The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements. Yes No Don't know
Contingency Planning/Disaster Recovery
An analysis of operations, applications, and data criticality has been performed. Yes No Don't know
The organization has documented, reviewed, and tested business continuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies. Yes No Don't know
The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls. Yes No Don't know
All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities. Yes No Don't know
Physical Security Plans and Procedures
Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested. Yes No Don't know
There are documented policies and procedures for managing visitors. Yes No Don't know
There are documented policies and procedures for physical control of hardware and software. Yes No Don't know
Physical Access Control
There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media. Yes No Don't know
Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access. Yes No Don't know
Monitoring and Auditing Physical Security
Maintenance records are kept to document the repairs and modifications of a facility's physical components. Yes No Don't know
An individual's or group's actions with respect to all physically controlled media can be accounted for. Yes No Don't know
Audit and monitoring records are routinely examined for anomalies, and corrective action is taken as needed. Yes No Don't know
System and Network Management
There are documented and tested security plan(s) for safeguarding the systems and networks. Yes No Don't know
Sensitive information is protected by secure storage (e.g., backups stored off-site, discard process for sensitive information). Yes No Don't know
The integrity of installed software is regularly verified. Yes No Don't know
All systems are up to date with respect to revisions, patches, and recommendations in security advisories. Yes No Don't know
There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans. Yes No Don't know
Changes to IT hardware and software are planned, controlled, and documented. Yes No Don't know

IT staff members follow procedures when issuing, changing, and terminating users' passwords, accounts, and privileges:

  • Unique user identification is required for all information system users, including third-party users.

  • Default accounts and default passwords have been removed from systems.

Yes No Don't know
Only necessary services are running on systems; all unnecessary services have been removed. Yes No Don't know
System Administration Tools
Tools and mechanisms for secure system and network administration are used, and they are routinely reviewed and updated or replaced. Yes No Don't know
Monitoring and Auditing IT Security
System and network monitoring and auditing tools are routinely used by the organization. Unusual activity is dealt with according to the appropriate policy or procedure. Yes No Don't know
Firewall and other security components are periodically audited for compliance with policy. Yes No Don't know
Authentication and Authorization
Appropriate access controls and user authentication (e.g., file permissions, network configuration) consistent with policy are used to restrict user access to information, sensitive systems, specific applications and services, and network connections. Yes No Don't know
There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups. Yes No Don't know
Methods or mechanisms are provided to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner. Methods or mechanisms are periodically reviewed and verified. Yes No Don't know
Vulnerability Management

There is a documented set of procedures for managing vulnerabilities:

  • Selecting vulnerability evaluation tools, checklists, and scripts

  • Keeping up to date with known vulnerability types and attack methods

  • Reviewing sources of information on vulnerability announcements, security alerts, and notices

  • Identifying infrastructure components to be evaluated

  • Scheduling of vulnerability evaluations

  • Interpreting and responding to the results

  • Maintaining secure storage and disposition of vulnerability data

Yes No Don't know
Vulnerability management procedures are followed and are periodically reviewed and updated. Yes No Don't know
Technology vulnerability assessments are performed on a periodic basis, and vulnerabilities are addressed when they are identified. Yes No Don't know
Encryption
Appropriate security controls are used to protect sensitive information while in storage and during transmission (e.g., data encryption, public key infrastructure, virtual private network technology). Yes No Don't know
Encrypted protocols are used for remote management of systems, routers, and firewalls. Yes No Don't know
Security Architecture and Design

System architecture and design for new and revised systems include considerations for

  • Security strategies, policies, and procedures

  • History of security compromises

  • Results of security risk assessments

Yes No Don't know
The organization has up-to-date diagrams that show the enterprisewide security architecture and network topology. Yes No Don't know
Incident Management
Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations. Yes No Don't know
Incident management procedures are periodically tested, verified, and updated. Yes No Don't know
There are documented policies and procedures for working with law enforcement agencies. Yes No Don't know
General Staff Practices

Staff members follow good security practice, for example:

  • Securing information for which they are responsible

  • Not divulging sensitive information to others (resistance to social engineering)

  • Ensuring they have adequate ability to use information technology hardware and software

  • Using good password practices

  • Understanding and following security policies and regulations

  • Recognizing and reporting incidents

Yes No Don't know
All staff at all levels of responsibility implement their assigned roles and responsibility for information security. Yes No Don't know
There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or who work in locations where the information resides. Yes No Don't know

B.1.5 Protection Strategy Worksheet

Instructions
Processes 1 to 3 Activity: Capture Knowledge of Current Security Practices and Organizational Vulnerabilities (Section 5.5)
Purpose To build on the survey information by identifying specific security practices used by the organization and organizational vulnerabilities present in the organization
Instructions
  1. Participants brainstorm a list of security practices and organizational vulnerabilities. Use the following questions to guide your discussions:

    • Which issues from the survey would you like to discuss in more detail?

    • What important issues did the survey not cover?

    • Are there specific security policies, procedures, and practices unique to certain assets? What are they?

    • Do you think that your organization's protection strategy is effective? How do you know?

 
  1. Hand out the Protection Strategy Worksheet to participants and discuss each question. Use the questions as prompts to guide the discussion.

 
  1. Record comments from the participants. Designate items that are security practices with a "+" and items that are organizational vulnerabilities with a "".

Protection Strategy Worksheet
  1. Which issues from the survey would you like to discuss in more detail?

  1. What important issues did the survey not cover?

  1. Are there specific security policies, procedures, and practices unique to certain assets? What are they?

  1. • Do you think that your organization's protection strategy is effective?

    How do you know?

    Team LiB   Previous Section   Next Section