Information Technology Reference
In-Depth Information
work must cover all aspects of the organization. The Enterprise Context Framework
(ECF) (chapter 12) and enterprise dynamics provide a framework within which to
consider vulnerabilities. The macro level categories are:
n
n
n
Entities—technology
Actors—people
Actions—process
There are many contexts in which to consider enterprise dynamics. These con-
texts include:
n
−
−
Business
People
Process
Management
Production
Operations
Organization
Hierarchical structure
Command and control
Physical
Location
Site details of campus, building, floor, room, and workspace
n
n
n
n
−
−
n
−
−
Vendors release patches to fix vulnerabilities. Part of vulnerability management
is
patch management
. A formal patch management process monitors industry and
vendor announcements of known vulnerabilities and a manner in which to address
those vulnerabilities. However, installing the patches introduces risk to operations,
because a patch may interfere with existing software and affect performance levels.
This is another example of the need to maintain mission integrity. Introducing a
patch for a security hole as quickly as possible is good, but not at the expense of
negatively affecting the business purpose of the patched system.
4.3.5
IA Quantification: Threat Perspective
The threat perspective of IA quantification includes deductive and predictive
approaches.
4.3.5.1 Threat Probability Assessment (TPA)
Traditional focus of a risk assessment starts with the organizational asset space.
This approach to risk management first attempts to identify assets with high dollar
