Episode 95: Episode 203 - Evaluating Your Security Program: Threat Mapping


Manage episode 197973508 series 12330
By Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio streamed directly from their servers.

Show Notes

Episode 203 - Evaluating Your Security Program: Threat Mapping

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  2. Start At The Outside and Move Your Way In
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  3. What is “Threat Mapping”?
    1. Must have a assessment management program
      1. you can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”. It’s actually taking actions based on what you know about what you have
      1. Map assets to known threats
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      2. What are you doing to know this?
      3. What controls do you currently have in place to mitigate or reduce the risk?
    2. Understand what your “real” threats are
      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
    3. Scope and prioritize - break down into areas to tackle
  4. How To Get Started
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  5. How To Measure
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. once you have some areas mapped don’t ignore them
    3. implement solid change control and change management processes
    4. keep risk scores updated so you aren’t focusing on unimportant things
  6. How To Improve/Modify

140 episodes available. A new episode about every 26 days averaging 28 mins duration .