We, Avisi, have started an agile journey. A journey with one destination: a fancy ISMS for Avisi. I gladly take you along on our trip, by blogging about the adventures we’ve been through. So fasten your seatbelt, we will travel through a roadmap to remember.
It's been a while since we've last met. Much has happened! Let's have a tour through our risk analyses sessions, the resulting reports and the next steps to take.
Travel insurance: risk analysis
If you travel, you'll need an insurance. In order to determine what kind of insurance we need, we completed two 3-hour sessions in which we analyzed our organization-wide risks. We chose two teams which had the most to do with the processing of personal data, system complexity and were representative for the organisation. In other words, we chose the project teams which contained a certain amount of risk. Both sessions were guided by two persons of Insite Security. One facilitated the session and the other made notes for the report. I was also present and together with the team we gathered a lot of input.
We identified all our processes, applications and information flows using the Business Canvas Model. A very simple and sense-making approach to analyze parts of our organization. After that we, scored all assets on Confidentiality, Integrity, and Availability (the so called CIA-triad), and gathered potential threats per asset. At the end of the session we had an overview of our most critical assets and what threats were most likely to occur.
After these two sessions, each team needed three additional sessions of one hour to argument all given scores during the session and to fill out the rest of the risk matrix. So, all together it wasn't that time consuming as I thought it would be. On top of that, the reactions of the involved team members were highly positive. They said that the exercises forced them to think about applications in another way using the CIA-triad, discussions between team members arose, and the importance of security as a whole increased. Performing risk analysis really adds value, I would say!
Relax at Baseline Beach
After some intensive risk sessions, we allowed ourselves some time to relax. In cooperation with our system administrator we filled out a kind of maturity file, which contained 113 measures of ISO 27001. We scored all these items on different kinds of maturity levels, which gave us an overview of the status quo of our organization. The result showed what we already predicted: our main catch lays in documentation. We need to have an approved information security policy. We need to register some activities and we need to write down our workflows. It's tough, but doable. And more important, it's a learning curve in which security plays the main part.
Activities during the summer break
At the moment, we are in the middle of the summer break. A good time to reassess our planning, and check our to do list. Within a couple of hours I have a coaching session with Bjorn of Insite Security. We have a lot to talk about, because last month we completed the first version of our Information Security Policy. We also thought of a communication structure which makes the management system work. What does the communication flow look like when an information security measure has to be implemented and how do we check whether we are on track? That part we already completed last week, since I planned a meeting with one of the management team members. In one morning we agreed on the communication flow and made a draft on how we could structure things and make it all retraceable in our Atlassian documenting systems: Confluence and JIRA. A very effective meeting.
Now, the next activities consist of writing down procedures and making a list of company assets, which constitute a potential corporate risk. The summer break is perfect for this phase due to the quite offices which enhances concentration to write, good moods since it's summer, and the sunny weather which we can enjoy behind glass ;) Till next time!
This is part 1 of the series. Below you can navigate to the other parts: