Documente Academic
Documente Profesional
Documente Cultură
Introduction
OK, so we have identified all the information assets within the organisation and have
associated impact values to those assets. What do we need to do now in order to
bring the organisation to a level where it can perform a risk assessment on its
valuable information assets?
In order to assess risk we need to establish what threats are posing risks for our
information assets.
What is a threat?
‘A threat is a scenario or event which, if occurred would result in the loss,
damage or compromise of an asset.’
Types of threat
When establishing the threats to your information assets, the following types of threat
need to be considered.
Technical threats – The use of technological means to circumvent established
security. This group includes all the possible electronic type attacks such as
eavesdropping, hacking, virus/Trojan activity and misuse of computing facilities.
Threats that fall into this grouping must be considered in both malicious and
accidental form for example:
o The accidental mis-configuration of system access rights could result
in the compromise of sensitive information. Or.
o System user deliberately copies business information to thumb drive
for use after leaving the organisation.
Personnel threats – Persons internal or external to the organisation posing a
threat to information assets. This group of threats will include disgruntled
employees, site visitors and social engineering type attacks. Also include the
threat of losing personnel key to the running of the business. Again, we need to
look at both the malicious and accidental possibilities of this type of threat. Do not
forget to consider those indispensable persons that we highlighted during our
‘identifying assets’ stage as having valuable information assets in their heads.
The threat of losing one of these persons to the organisation by whatever means,
needs to be considered, in order for a risk mitigation strategy to be established.
Page 2 of 6
Additional threats
In addition to the standard threats and concerns of the members of the different
departments, it is important to gain a holistic view of the system. There is a need to
try and mentally step out of the organisation and attempt to visualise it from above as
if it were a 2 dimensional object. Examine where information comes into or leaves the
organisation, what are the processes that the information follows? This is where it is
really useful to have a good security consultant on call; from an independent
viewpoint it is possible for the consultant to identify threats that may not have been
obvious to those within the organisation.
Page 4 of 6
Page 5 of 6
Page 6 of 6