- Enumerate all of the attacks and breaches that your company might encounter.
- Enumerate all of the defenses you have put in place, right down to the last server, even those servers that some enterprising person out in the chem lab created to make their work easier…without telling IT.
- Look at every possible attack and ask: What defenses do we have in place what would prevent that? What is the probability that this defense would prevent that threat?
- Assemble the list of identified weaknesses and identify what additional controls would be needed to fix those holes in your dike.
- What is the cost/benefit analysis of deploying each of those improvements?
- Which of those improvements will we be able – because of budget, C-Suite support, time, or FTEs – to deploy this year.
- Tell the C-Suite and Board exactly what their Residual Risk that your company is going to face in the coming year…quantitatively if you can….so that they can decide how much of it are they going insure and how much they are going to retain (i.e. let it go unprotected)
A Vulnerability Assessment is straightforward: