The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Based on what you have read, consider the following questions and how you would reply to them:

• Have you identified the natural threats to your company's information and systems?

• Have those threats been documented and processes put in place to mitigate them?

• Have you identified the manmade threats and the malicious code that can attack your information and systems?

• Have those threats been documented and processes put in place to mitigate them, for example, disaster recovery/contingency plans?

• Do you know the difference between risk management, risk assessment, and risk analysis?

• Do you have formal processes, policies, and procedures in place to use these risk management techniques?

• Have you identified your personal education and experience weaknesses that are associated with a complete understanding of the threats, such as malicious code and human factors?

• If not, why not?

• If so, what are you going to do about it?

• Does your CIAPP have contingency plans for terminating employees who, for example, are given 60 days' notice?

• When do you terminate an employee's access to sensitive information and systems?

  When the employee is given a 60-day notice?

  When they leave?

• Does it depend on their position in the company and their access?

• What is your definition of cyber-terrorism?

• Do you agree with the terrorist-related definitions cited above?

• If no, what are your definitions for each of those definitions that you do not agree with?

• Do you believe that a true cyber-terrorist attack will affect your corporation?

• If so, what plans do you have in place to mitigate it?