Why Evaluate Your Program
Part of annual policy review
If you don’t evaluate you will never improve
Continual review will help protect your budget
Start At The Outside and Move Your Way In
Awareness and Education is how most people in your org know the program
Threat Mapping maps the outside threats to your inside controls & tech
Communications is that final turn from the inside out
What is “Threat Mapping”?
How is this different from threat modeling?
Threat modeling is listing what could happen to you.
Threat mapping is mapping the holes in your program.
How To Get Started
Must have a assessment management program
You can’t protect what you don’t know about
This isn’t “I have a CMDB”. It’s actually taking actions based on what you know about what you have
Understand what your “real” threats are
Map assets to known threats
What are you doing to know this?
industry
entry points
technology
Online threat maps
What controls do you currently have in place to mitigate or reduce the risk?
Scope and prioritize - break down into areas to tackle
Apps
Infrastructure
3rd parties
etc
How To Measure
Scorecard (KRI)
What is important and helpful
Risk Registry
How To Improve/Modify
Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
Once you have some areas mapped don’t ignore them
Implement solid change control and change management processes
Keep risk scores updated so you aren’t focusing on unimportant things