You’ve just been hired and Information Security is now your responsibility.
Who has immediate concerns?
Introduce yourself and ask what most concerns them. Get their names. This is for your use only. Try to remember their names. Can you take a photograph?
NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment [pdf]
What company policies and regulatory requirements exist? What compliance programs (SOX, PCI, HIPAA, SSAE 16) must be observed?
The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP). SCAP enables standards based security tools to automatically perform configuration checking using NCP checklists. For more information relating to the NCP please visit the information page or the glossary of terms.
- When doing the inventory of authorized and unauthorized software. include software composition analysis. What libraries are being used? Do these libraries have vulnerabilities?
The California Department of Technology Risk Assessment Toolkit has links to great resources.
What gaps do you you fill first?
There will always be risk. What level of risk is acceptable?
Check your work. Repeat.