Information Technology Reference
In-Depth Information
produces strategic objectives for risk management. Therefore, executives in gover-
nance roles need to be aware of and understand risks to the organization to deal
with them effectively. A key question is which assets are the highest priority for
risk mitigation. The answer comes from a combination of a threat assessment, risk
assessment, vulnerability assessment, and a business impact assessment.
A
risk assessment
determines the rate or amount of possible loss or injury
to the organization. A
vulnerability assessment
identifies vulnerabilities within
people, policy, process, systems/applications, data/information, and infrastruc-
ture and determines the degree of harm those vulnerabilities present to the
organization. A
threat probability assessment
determines the highest probable
threats. (Vulnerabilities may exist with no threat to exploit them.) A target prob-
ability assessment determines the highest probable targets. A
business impact
assessment
(BIA) determines the organizational impact of a threat successfully
exploiting asset vulnerability.
The combination of assessing risk, vulnerability, threat, and target probabilities
along with business impact should lead to intelligent resource allocation decisions
for addressing risk (see section 3.4.2.2).
5.4.1
The Scope of Risk Governance,
Management, and Assessment
Traditionally, a risk assessment is asset centric. A comprehensive risk assessment
also looks at the threat side. An exhaustive analysis of threats is not practical, if
even possible. Therefore, you need to separate threats into classifications (Table 5.3),
determine threat status (Table 5.4), and then provide rules to handle threat classes
and specific threats according to threat status.
The threat classes provide guidance to determine the potential risks to your
organization. Physical location provides insight into natural risk exposure, e.g.,
earthquake, tornado, hurricane, ice storms, or brush fires. The physical location of
the data center also provides insight into potential accidents, for instance, at the
end of an airport runway, under a freeway exit ramp, or next to a chemical manu-
facturing plant.
he
contrived
threat class, especially the
contrived—specific
class, includes
adversaries. An adversary knows your organization, specifically targets your orga-
nization, and operates with intelligence and intent against it. Moreover, threats
appearing natural, accidental, or technical may be the result of an intentional act;
e.g., the ISP
connection outage may be the result of an adversary-operated fiber-
seeking backhoe. Hence, any assessments of threats must be aware that the visible
threat may be a symptom and not the threat itself.
hreat status
represents the sense
of immediacy to the organization. Table 5.4 presents threat status categories.
Internet service provider.
