adnanali r1
If you can't read please download the document
TRANSCRIPT
Adnan Ali HWR1IS 433
The checklist that I believe would be the best one to evaluate Globex Corporation is the Risk Assessment Checklist from the West Virginia Department of Health & Human Resources (http://www.wvdhhr.org/han/security/riskchecklist.pdf). The criteria I used for comparison was by looking at the overall structuring of the checklists. A very important part of an effective checklist is how it is outlined and its friendliness to the eye of the reader for better understanding. The best checklists are those that are broken down by each element of an organization that have vulnerabilities.The strengths of the selected checklist:
Simple, yet detailed listing of all the major aspects of the organization that are vulnerable to security risks.Well structuredChecklist is in the form of a questionnaire, which is a more effective way to assess risk than in an audit-observation format.Includes the all-important Business Continuity checklist in the event of a breach.
Disadvantage 1: Checklist Options
The current set up asks the questions and has yes/no/in progress options, which are fine. However, this is not some general survey seeking anonymous opinions. An effective risk assessment checklist must have space for the user to specifically indicate why something is not in place if the selected answer is no. Although not required for all questions, an example where it would be needed is the very first question that asks, Does an Information security policy exist, which is approved by the management, published and communicated as appropriate to all employees? If the answer to this question is no, there should be a probing question asking the user to detail the reason why a policy doesnt exist.
Disadvantage 2: The Little DetailsWhile the assessment does a good job of going through all the elements, it did leave out little details here and there compared to the other checklists. An example of an emission would be under Physical & Environmental Security > Equipment Security. The checklist doesnt specify any equipment in question, which may create confusion for the user in determining to what degree each equipment should be protected.