David Ambrose: …and not from a technology standpoint, more from a process…
JIm Flyzik: Okay.
David Ambrose: [Continuing] We have implemented a risk-based approach to our information system – continuous monitoring program. This defines ISCM is maintaining ongoing awareness of information security vulnerabilities and threats to support our organizational risk management decisions. One approach involves identifying the organizational risk associated with the system changes and identifying vulnerabilities and implementing a risk-based ISCM strategy to ensure that our efforts are focused on the right areas, on the right controls for the organization. This represents a change in the traditional three-year ETL cycle. Basically, we’re looking at, again, the organizational risk along with perhaps the system’s FIPS 199 rating coupling that and assigning an organizational risk for prioritizing across the organization. So, that’s a good program.
JIm Flyzik: Yes.
David Ambrose: [Continuing] Again, it leads to the benefit of focusing our resources in the right areas so that the decision leaders of the organization can have information in front of them, for risk-based decisions, that feeds into our enterprise management.
JIm Flyzik: Yes.
[END OF AUDIO] [00:01:05]
…Read more
Less…