Assessing data handling

The current challenge is to put together a new security assessment questionnaire focused on data handling. I’m working on this with one of my American colleagues, and predictably we’ve both come to the floor with different views on what questions need to be asked. This isn’t detrimental though as it’s precisely this sort of collaboration enables us to come up with solutions that are viable across multiple different business environments.

So, the decision is to firstly focus on the types of data being handled, and then to dig into the processes in place around storage, transportation, and destruction. We’ll score the questionniare in a such a way that answering “yes” to any particular question will show an overall reduction in risk with a minimum acceptable base-line score set so that we can track which businesses are adequately mitigating risks in this area. Make sense?