Information system security - threats
More on my notes I took when reading Managing information system security and privacy.
If the assets identification is the first step of security then threats identification is a step number two.
We have physical, logical and social threats.
We organize threats into categories. When doing so we should take care that:
- categories should not overlap
- all categories together cover all possibilities
- classification is unambiguous and precise
- classification is repeatable
- classification is logical and intuitive
- useful in terms of providing an insight into the field
Vulnerability risk analysis is performed - includes examination of the following weaknesses:
- physical
- organizational
- procedural
- personnel related
- management related
- constructional
- logical weakness of hardware and software
- information weakness
Analysis of risk impacts as a consequences of a successful attack.
Impacts can be
- direct (e.g. destroying asset)
- indirect (e.g. damage to goodwill).
Risk impact can be estimated through:
- qualitative measurement
- quantitative measurement
Risk management
- determination of security and privacy objectives (based on strategies)
- determination of required safeguards (based on risk analysis)
- monitoring implementation
- detecting incidents and reacting to them
- establishing security and privacy awareness culture
Risk analysis can be based on:
-
Informal approach
- pragmatic approach without structured methods
- exploits knowledge and experiences of employees
- can be done in a short time period
- some risks can be overlooked
- change management is difficult
-
Baseline approach
- selection of a standardized set of safeguards
- no need for detailed risk analysis
- it may overestimate or underestimate real requirements
-
Detailed analysis
- identification and evaluation of assets and threats
- each safeguard is justified to the level of acceptable risk
- extensive input of resources
-
Combined approach
- critical systems are subject of detailed approach
- non-critical systems are subject of baseline approach
- There is nothing like 100% security! It is wise to prepare for proper handling of bad times as much as possible.
- managing security and privacy cost money
- organization can't make profit by effective risk management
- but organization can avoid costs due to intrusions and stolen information
- security and privacy is in many cases already legally obligatory
Related Articles
| < Prev | Next > |
|---|