Читать книгу IT Security Risk Assessment A Complete Guide - 2020 Edition - Gerardus Blokdyk - Страница 8
ОглавлениеCRITERION #2: DEFINE:
INTENT: Formulate the stakeholder problem. Define the problem, needs and objectives.
In my belief, the answer to this question is clearly defined:
5 Strongly Agree
4 Agree
3 Neutral
2 Disagree
1 Strongly Disagree
1. Have all of the relationships been defined properly?
<--- Score
2. What is the worst case scenario?
<--- Score
3. Are audit criteria, scope, frequency and methods defined?
<--- Score
4. How would you define IT security risk assessment leadership?
<--- Score
5. Is the improvement team aware of the different versions of a process: what they think it is vs. what it actually is vs. what it should be vs. what it could be?
<--- Score
6. What knowledge or experience is required?
<--- Score
7. What customer feedback methods were used to solicit their input?
<--- Score
8. Do you have organizational privacy requirements?
<--- Score
9. Do the problem and goal statements meet the SMART criteria (specific, measurable, attainable, relevant, and time-bound)?
<--- Score
10. Are there any constraints known that bear on the ability to perform IT security risk assessment work? How is the team addressing them?
<--- Score
11. Is IT security risk assessment currently on schedule according to the plan?
<--- Score
12. Has a team charter been developed and communicated?
<--- Score
13. Are approval levels defined for contracts and supplements to contracts?
<--- Score
14. Is scope creep really all bad news?
<--- Score
15. Are the IT security risk assessment requirements testable?
<--- Score
16. Do you have a IT security risk assessment success story or case study ready to tell and share?
<--- Score
17. Is IT security risk assessment linked to key stakeholder goals and objectives?
<--- Score
18. Is IT security risk assessment required?
<--- Score
19. What are (control) requirements for IT security risk assessment Information?
<--- Score
20. What was the context?
<--- Score
21. Are resources adequate for the scope?
<--- Score
22. What are the requirements for audit information?
<--- Score
23. Is there a clear IT security risk assessment case definition?
<--- Score
24. Is there a completed, verified, and validated high-level ‘as is’ (not ‘should be’ or ‘could be’) stakeholder process map?
<--- Score
25. Who are the IT security risk assessment improvement team members, including Management Leads and Coaches?
<--- Score
26. How does the IT security risk assessment manager ensure against scope creep?
<--- Score
27. Is the IT security risk assessment scope manageable?
<--- Score
28. What scope do you want your strategy to cover?
<--- Score
29. What key stakeholder process output measure(s) does IT security risk assessment leverage and how?
<--- Score
30. How have you defined all IT security risk assessment requirements first?
<--- Score
31. Is special IT security risk assessment user knowledge required?
<--- Score
32. What constraints exist that might impact the team?
<--- Score
33. Are customer(s) identified and segmented according to their different needs and requirements?
<--- Score
34. What sort of initial information to gather?
<--- Score
35. Are different versions of process maps needed to account for the different types of inputs?
<--- Score
36. How are consistent IT security risk assessment definitions important?
<--- Score
37. Has everyone on the team, including the team leaders, been properly trained?
<--- Score
38. Are the IT security risk assessment requirements complete?
<--- Score
39. How can the value of IT security risk assessment be defined?
<--- Score
40. What is in scope?
<--- Score
41. How do you think the partners involved in IT security risk assessment would have defined success?
<--- Score
42. Is the team equipped with available and reliable resources?
<--- Score
43. Who defines (or who defined) the rules and roles?
<--- Score
44. What are the compelling stakeholder reasons for embarking on IT security risk assessment?
<--- Score
45. What are the IT security risk assessment tasks and definitions?
<--- Score
46. Is the work to date meeting requirements?
<--- Score
47. Is the IT security risk assessment scope complete and appropriately sized?
<--- Score
48. What is out-of-scope initially?
<--- Score
49. How often are the team meetings?
<--- Score
50. Is there a completed SIPOC representation, describing the Suppliers, Inputs, Process, Outputs, and Customers?
<--- Score
51. What information do you gather?
<--- Score
52. How do you build the right business case?
<--- Score
53. Has a IT security risk assessment requirement not been met?
<--- Score
54. Have specific policy objectives been defined?
<--- Score
55. Are all requirements met?
<--- Score
56. What are the tasks and definitions?
<--- Score
57. Is there a IT security risk assessment management charter, including stakeholder case, problem and goal statements, scope, milestones, roles and responsibilities, communication plan?
<--- Score
58. Is data collected and displayed to better understand customer(s) critical needs and requirements.
<--- Score
59. When is the estimated completion date?
<--- Score
60. What is the context?
<--- Score
61. What is the scope of IT security risk assessment?
<--- Score
62. Is there any additional IT security risk assessment definition of success?
<--- Score
63. How do you catch IT security risk assessment definition inconsistencies?
<--- Score
64. Has a project plan, Gantt chart, or similar been developed/completed?
<--- Score
65. What are the record-keeping requirements of IT security risk assessment activities?
<--- Score
66. Is there regularly 100% attendance at the team meetings? If not, have appointed substitutes attended to preserve cross-functionality and full representation?
<--- Score
67. Is the scope of IT security risk assessment defined?
<--- Score
68. Are required metrics defined, what are they?
<--- Score
69. What are the boundaries of the scope? What is in bounds and what is not? What is the start point? What is the stop point?
<--- Score
70. Does the team have regular meetings?
<--- Score
71. What defines best in class?
<--- Score
72. What is out of scope?
<--- Score
73. What gets examined?
<--- Score
74. Where can you gather more information?
<--- Score
75. What is the definition of success?
<--- Score
76. How would you define the culture at your organization, how susceptible is it to IT security risk assessment changes?
<--- Score
77. What information should you gather?
<--- Score
78. How was the ‘as is’ process map developed, reviewed, verified and validated?
<--- Score
79. When is/was the IT security risk assessment start date?
<--- Score
80. How do you keep key subject matter experts in the loop?
<--- Score
81. Why are you doing IT security risk assessment and what is the scope?
<--- Score
82. Has/have the customer(s) been identified?
<--- Score
83. What critical content must be communicated – who, what, when, where, and how?
<--- Score
84. Who is gathering IT security risk assessment information?
<--- Score
85. What IT security risk assessment requirements should be gathered?
<--- Score
86. What intelligence can you gather?
<--- Score
87. How do you manage unclear IT security risk assessment requirements?
<--- Score
88. Are roles and responsibilities formally defined?
<--- Score
89. What is the scope of the IT security risk assessment effort?
<--- Score
90. Who approved the IT security risk assessment scope?
<--- Score
91. Has anyone else (internal or external to the group) attempted to solve this problem or a similar one before? If so, what knowledge can be leveraged from these previous efforts?
<--- Score
92. Have all basic functions of IT security risk assessment been defined?
<--- Score
93. In what way can you redefine the criteria of choice clients have in your category in your favor?
<--- Score
94. How will the IT security risk assessment team and the group measure complete success of IT security risk assessment?
<--- Score
95. Scope of sensitive information?
<--- Score
96. What sources do you use to gather information for a IT security risk assessment study?
<--- Score
97. What specifically is the problem? Where does it occur? When does it occur? What is its extent?
<--- Score
98. Are accountability and ownership for IT security risk assessment clearly defined?
<--- Score
99. If substitutes have been appointed, have they been briefed on the IT security risk assessment goals and received regular communications as to the progress to date?
<--- Score
100. What are the dynamics of the communication plan?
<--- Score
101. What are the core elements of the IT security risk assessment business case?
<--- Score
102. How and when will the baselines be defined?
<--- Score
103. What is the scope of the IT security risk assessment work?
<--- Score
104. What are the rough order estimates on cost savings/opportunities that IT security risk assessment brings?
<--- Score
105. What are the IT security risk assessment use cases?
<--- Score
106. How is the team tracking and documenting its work?
<--- Score
107. How do you hand over IT security risk assessment context?
<--- Score
108. Has your scope been defined?
<--- Score
109. What IT security risk assessment services do you require?
<--- Score
110. What are the Roles and Responsibilities for each team member and its leadership? Where is this documented?
<--- Score
111. What would be the goal or target for a IT security risk assessment’s improvement team?
<--- Score
112. Has a high-level ‘as is’ process map been completed, verified and validated?
<--- Score
113. The political context: who holds power?
<--- Score
114. What is the definition of IT security risk assessment excellence?
<--- Score
115. How do you gather requirements?
<--- Score
116. How did the IT security risk assessment manager receive input to the development of a IT security risk assessment improvement plan and the estimated completion dates/times of each activity?
<--- Score
117. Will a IT security risk assessment production readiness review be required?
<--- Score
118. Have the customer needs been translated into specific, measurable requirements? How?
<--- Score
119. Is the current ‘as is’ process being followed? If not, what are the discrepancies?
<--- Score
120. Do you all define IT security risk assessment in the same way?
<--- Score
121. Has the IT security risk assessment work been fairly and/or equitably divided and delegated among team members who are qualified and capable to perform the work? Has everyone contributed?
<--- Score
122. What scope to assess?
<--- Score
123. What happens if IT security risk assessment’s scope changes?
<--- Score
124. Who is gathering information?
<--- Score
125. How do you manage changes in IT security risk assessment requirements?
<--- Score
126. Has the direction changed at all during the course of IT security risk assessment? If so, when did it change and why?
<--- Score
127. Has the improvement team collected the ‘voice of the customer’ (obtained feedback – qualitative and quantitative)?
<--- Score
128. When are meeting minutes sent out? Who is on the distribution list?
<--- Score
129. Is the team adequately staffed with the desired cross-functionality? If not, what additional resources are available to the team?
<--- Score
130. How do you gather the stories?
<--- Score
131. What is in the scope and what is not in scope?
<--- Score
132. What baselines are required to be defined and managed?
<--- Score
133. Is it clearly defined in and to your organization what you do?
<--- Score
134. How do you manage scope?
<--- Score
135. Is there a critical path to deliver IT security risk assessment results?
<--- Score
136. What system do you use for gathering IT security risk assessment information?
<--- Score
137. Are there different segments of customers?
<--- Score
138. How will variation in the actual durations of each activity be dealt with to ensure that the expected IT security risk assessment results are met?
<--- Score
Add up total points for this section: _____ = Total points for this section
Divided by: ______ (number of statements answered) = ______ Average score for this section
Transfer your score to the IT security risk assessment Index at the beginning of the Self-Assessment.
