Well the beginning is no surprise – start with understanding the current state of IT Risk. Test the controls, understand incident management programs.
Then use the current state to create a reference point. This will enable you to understand a gap which needs to be addressed.
Once you know where is the gap, understand the reason behind it. This will help you in finding out a solution to address this gap.
…
When thinking about controls remember that there are two main types of them:
- proactive – e.g. warning sign,
- reactive – e.g. fire extinguisher.
…
When introducing controls remember about proper Control Management Procedures, it will make the life of the organization much easier. Below are the most important components of such procedures.
- Proper installation.
- Policies and procedures supporting operations.
- Change Management.
- Training of staff to monitor, manage and review controls.
- Assignment of responsibilities.
- Schedule for review and reporting.
- KPIs.
…
How about a situation when implemented controls are not enough? We can try to introduce compensating measures:
- layered defense,
- increased supervision,
- increased audits,
- logging of system activities.
…
Extras:
Changeover (Go-live) Techniques:
- Parallel Changeover – both old and new system,
- Phased Changeover – replacing individual components or modules,
- Abrupt Changeover – single-instant movement from the old to the new one
– abrupt may be used when the rollback is relatively assured or the impact is minor.
Rollback (fallback):
- post-implementation review as soon as practical,
- lessons learned,
- second joint-review with already some time in production.