We understand the specialized markets in which you operate and provide tailored solutions to meet your unique business needs.
Our comprehensive suite of business services combines industry expertise, market knowledge and professional insights.
MNP is a leading national accounting, tax and business consulting firm in Canada.
Suite 2000, 330 5th Ave. S.W.
MNP careers are Different by Design. As an entrepreneurial firm, we truly believe there are no limits to where your career can go.
Whether it’s careless mistakes, fraud, or viruses, worms, hackers, phishers and social engineers, organizations are threatened from all sides.
We live in a world of increasingly complex markets, regulations and interconnected IT-enabled communications where high quality, timely information is the lifeblood of an organization. Without it, we cannot make good business and managerial decisions. From regulatory compliance (SOX, PCI-DSS, HIPAA, privacy) to emerging technologies (cloud computing, social networking, BYOD) to an increasingly sophisticated crime ecosystem (cyber criminals, organized crime, internal fraud) – information security is a difficult issue to ignore… it does not, however, need to be complicated to address. When security risks, controls and corporate objectives are aligned, protection of information assets can drive real value to your organization.
Plan your security strategy and align it to your business objectives and risk management requirements. While security can be costly, there is no doubt that insecurity can be even more so. Damage can be in the form of direct financial impact such as lost productivity, lost revenues and litigation, or something more difficult to quantify such as brand and reputation in the marketplace. Manage your risk/cost exposure by ensuring that your security controls are appropriately aligned to your security risk appetite.
Threats have significantly evolved over the years – so should your strategy to manage them!
Know what you want to protect.
When gathering data ensure participation from senior stakeholders who understand the value and know what data and applications require protection.
Prioritize and rank the risks.
Socialize the initiative, build awareness and ensure everyone understands the importance of information security.
Perform a vulnerability assessment to determine where you are susceptible to security breaches. This involves identifying which operating systems, services, and other software are running and whether each system has the latest security updates.
Consider tools that automate the process of scanning systems for operating system and security updates and identifying remediation activities.
Organizations in the mid-market have the same security objectives and requirements as larger, more complex counterparts; the difference is that they typically have fewer resources at their disposal.
Map the results of the vulnerability assessment against your risk assessment to identify systems that process high-value data and applications that are also at high risk of a security breach. Focus your efforts and address any weaknesses in these systems first, leaving the low value, low-risk systems for last.
Choices, choices, choices. Analyze the risks and determine the most cost-effective way to address the risks. A robust defense in depth and layered security strategy will ensure that if one control is compromised, there are compensating controls to protect your valuable information.
A “defense in depth” strategy takes a holistic approach to security and addresses policy and operations planning, user training, physical access security measures, and technical security measures to protect your information. Similarly, a layered approach to security combines multiple mitigating security controls to protect your information and systems. Establish a cost-effective information security foundation for your organization from network, to desktop to data security. For example, controls at the perimeter will thwart threats from penetrating your network; additional controls within the network will protect you from attackers that breach your perimeter, and more specifically, the insider threat.
Consider minimum control standards:
Develop information security policies and formalize key processes.
Educate your users and implement security awareness initiatives.
Ongoing security is a process rather than an event. Technologies and processes change; staff turnover. After completing your initial security baseline, leverage your efforts and implement an ongoing process of continuous improvement and validate your security posture.
By defining a security program that focuses on what you want to protect, prioritizes your efforts based on impact and exposure, and implementing some basic processes, technology and most important of all, a security awareness program, you can implement cost-effective controls to protect your information assets and drive value to your organization.
For more articles like this one , please subscribe to Take Stock, MNP's eBulletin for Public Companies >>
This article has been prepared for informational purposes only and is not intended for any other purpose. We do not assume any responsibility or liability for losses occasioned by you in reliance on this information. We would be pleased to discuss with you the issues raised within the context of your particular circumstances. Please contact Trac Bo, CA, CISA, CGEIT, Technology Risk Leade or your local MNP Public Companies advisor.
Find an office near me