Reducing cyber threat exposure requires knowing what you need to protect. Most cybersecurity risk assessment guidelines will tell you to start with listing your most valuable information assets but few will tell you how to do this.
A practical approach is to start with the key business processes. You don’t need an advanced business process model, but you should think through what the key activities your organization or department is responsible for and that creates value. If you don’t already have such descriptions in place, a big benefit to mapping the core business processes is that you will not only find ways to secure your information systems better, but you will most likely also find ways to improve efficiency by increasing speed or reducing cost.
We recommend performing a SIPOC assessment with a small extension to identify your core information assets. SIPOC is an acronym that stands for Suppliers – Inputs – Process – Outputs – Customers.
Choose one of the important business processes in your organization, for example sales. List the key steps in your sales process to begin with, then identify key inputs (what you need to make that process work) and who is supplying those inputs (suppliers). Then move on to what the outputs from the process are, and who will be using those outputs.
The next step then is to list based on each box in the SIPOC form:
- What information systems or data do I need to get this done?
- What would be the consequences of unavailability, confidentiality breach or an unauthorized change of the system or its data?
You don’t need to list everything, but all systems where a security breach would cause real impact to the business process.
Cybehave’s software RiskTool integrates a SIPOC mapping tool, that makes it easy to go directly from business process to risk assessment.
To download our FREE SIPOC TEMPLATE and stay up to date on Cybehave news, use the below form.