Question

Bobkberg  |   Jun 26 2008  4:15PM GMT

Before you get too far, I’d ask management (assuming that they asked you to do this), what sorts of risks they are looking for. Here are some basic areas - each of those divides into many more.

1) Physical - Dust, dirt, lack of cooling, dirty electricity, safety of equipment and personnel
2) Unpatched (and therefore vulnerable) workstations and servers, Event logs checks for important problems - disk failure, time synch errors, file system integrity.
3) Poor security configurations (no controls on passwords, file sharing, wide-open firewall, etc.)
4) Poor security awareness on the part of staff - i.e. has everyone been trained on what’s good and bad?
5) State of cleanliness/infection from a virus and spyware point of view.

Also - check out the SANS reading room at <a href="http://www.sans.org." rel="nofollow">www.sans.org.</a> Lots of good material there too.

Bob

Paolaas  |   Aug 7 2008  2:47PM GMT

Try to classify the data you would like to assess. With your classification as a basis, you know which data is vital for your organisation, and needs to be well protected and which data is more or less public.

Classification in ITIL terms are confidentiality, integrity and availability. Re your local legislation, confidentiality refers to any privacy legislation local or, if applicable, European Union acts. With integrity you ensure the completeness and timelyness of your data and availability has to do with the continuity of your data.

Let me know if there is anything I can help you with.