Our privacy policies have to have notifications and opt-out provisions. Policies are high level directions, they would most often not address warranties, the area they cover or our liabilities. Also, keyword MOST.

We would look at the critical path to determine how long a project would take to complete. The critical path is the longest distance between the start and the finish of your project, including all the tasks, their duration, which gives you a clear picture of the project's actual schedule. We would use SWOT analysis to determine our strengths, weaknesses, opportunities, and threats. The Gannt chart is used to estimate required resources and resource allocation, as well as task sequencing. Ideal path is not a project management term.

It is MOST important that the antivirus software's signatures are updated frequently, and it is easy to use. How often the software vendor releases major updates is irrelevant, so is their feature roadmap. The antivirus solution should work with our other security hardware and software, but in most places, they would report back to our SIEM, and their interrelationship is secondary to the signature release frequency. The TCO is important, but again not as important as how often they update their signatures. Market share could be an indicator but is never a deciding factor.

If we get a lot of emergency change request, we should take another look at our change procedures and processes. Emergency change request will happen, but they should be the exception, not the rule. With emergency change requests we rarely have the required time to test the change properly. Changes being postponed, canceled, or many of them being similar is what we would want to see. They are all indicators of a well-functioning change management process.

The business manager for the asset (also often the system owner) would be the person who would be best at assigning the real asset value. They have the in-depth knowledge of what the system does and how critical it is. We may need to assist them with quantifying the value, but they are the best resource. The business analyst knows how the system works, but not the value, and average industry costs is never something we should use for asset value. Our systems are unique, our organization is unique, we would at best use the industry average as a benchmark.

We do all our Information Security investments on value analysis. How will this benefit the organization? In most cases it is not revenue gained, but it is loss minimized to an acceptable level. We might look at the audits, the business climate and the vulnerability assessments, but we would still do a value analysis to justify the cost. We want that positive ROI.

Our first priority should always be containment, we need to stop the attack from propagating through our network. Monitoring should already be in place. Documentation is done in our lessons learned after the attack. Restoration is done when the attack is contained, and we have determined how and what was compromised. We fix the flaws and then restore systems and system access.

We do vulnerability assessments to find known vulnerabilities on our network, that could often be missing patches, misconfigurations, open default ports or user accounts and passwords. 0-day are unknown, malware would be found with antivirus and antimalware and security design flaws would be found it we did an architectural audit.

If we have significant changes to our environment, we would most likely want to do a penetration test. The changes could easily have introduced new vulnerabilities. After an audit, we would fix the vulnerabilities they found and then maybe do a penetration test, but not right after. The same with the intrusion, we would fix any issues and then maybe do a penetration test. High staff turnover in itself is not a reason for a penetration test.

If our staff is trained sufficiently, and we have raised their awareness, we would see an increase of reported security incidents. While this may at first seem counter intuitive, we see the increase because our staff understands what to report to us. Before we raised their awareness, we would have less reports because they did not know what to report to us. Password resets and failed login attempts would not be an effective metric in measuring our awareness training, users still forget passwords or enter credentials incorrectly. The number of resolved security incidences does not have to correlate to the raised awareness.