Information Asset Management

Part 3 – Identifying Threats to Assets

Steve Simpson CISSP

 Identifying threats to Information Assets

Introduction
OK, so we have identified all the information assets within the organisation and have
associated impact values to those assets. What do we need to do now in order to
bring the organisation to a level where it can perform a risk assessment on its
valuable information assets?
In order to assess risk we need to establish what threats are posing risks for our
information assets.

What is a threat?
‘A threat is a scenario or event which, if occurred would result in the loss,
damage or compromise of an asset.’

Identifying the threats

Like our previous stages, the identification of the threats to our assets is best
achieved through collaborative process including representatives of the different
organisational departments and asset owners. Each of these representatives is likely
to have a clear idea of what they consider to be the greatest threat to their
information assets. Each of these identified threats needs to be documented so that
at the end of the process the nominator of each can be assured that their concerns
are being addressed.

Types of threat
When establishing the threats to your information assets, the following types of threat
need to be considered.
 Technical threats – The use of technological means to circumvent established
security. This group includes all the possible electronic type attacks such as
eavesdropping, hacking, virus/Trojan activity and misuse of computing facilities.
Threats that fall into this grouping must be considered in both malicious and
accidental form for example:
o The accidental mis-configuration of system access rights could result
in the compromise of sensitive information. Or.
o System user deliberately copies business information to thumb drive
for use after leaving the organisation.
 Personnel threats – Persons internal or external to the organisation posing a
threat to information assets. This group of threats will include disgruntled
employees, site visitors and social engineering type attacks. Also include the
threat of losing personnel key to the running of the business. Again, we need to
look at both the malicious and accidental possibilities of this type of threat. Do not
forget to consider those indispensable persons that we highlighted during our
‘identifying assets’ stage as having valuable information assets in their heads.
The threat of losing one of these persons to the organisation by whatever means,
needs to be considered, in order for a risk mitigation strategy to be established.

Page 2 of 6

Steve Simpson – Principal Consultant Infosec Plus Consulting

  Natural threats – Natural occurrences that pose a threat to information assets.
Earthquakes, floods, fire and lightning strike can all be a threat to information
assets. It is very worthwhile involving the individual or team that is responsible
within your organisation for business continuity and disaster recovery as they will
have already documented some specific threats to your organisation. They will
have specifically documented such threats as natural disasters and localised
external threats. With natural threats it is not necessary to consider malicious
threats.
The goal of this stage in the process is to have a documented list of hopefully no
more than around 20 threat scenarios. These scenarios should between them cover
the concerns of all of the asset owners and departmental representatives. To achieve
a list this short requires the grouping of all concerns into generic threats. For
example:
Concerns that data could be removed using a removable DVD writer, and concerns
that information could be copied to a USB flash drive for removal can (if agreed by all
parties) be grouped into a threat such as:
‘The deliberate removal of information assets via removable media means.’
Or
Concerns that users may take it upon themselves to upgrade the software on their
terminals without approval or having the vulnerabilities of that software assessed,
and concerns that users could download and install additional utility software or even
games from outside the organisation on to their terminals can be grouped into a
threat such as:
‘The introduction or substitution of unauthorised software.’
Through the repeating of this process, it should be possible to establish the
necessary list of identified threats.

Additional threats
In addition to the standard threats and concerns of the members of the different
departments, it is important to gain a holistic view of the system. There is a need to
try and mentally step out of the organisation and attempt to visualise it from above as
if it were a 2 dimensional object. Examine where information comes into or leaves the
organisation, what are the processes that the information follows? This is where it is
really useful to have a good security consultant on call; from an independent
viewpoint it is possible for the consultant to identify threats that may not have been
obvious to those within the organisation.

Preparation for risk Assessment

For the final stage of preparations in order for the security risk assessment to take
place your security consultant needs to establish the potential attack groups for the
threats and match the threats to the asset groups. Then with the impact levels
already established during the second stage of this piece of work the probability of
the likelihood of the threats being realised can be assessed and used to perform a
quantities calculation on the risks posed to each asset group. The entire process for
the risk assessment needs to be documented and retained for future reference. The
resulting documentation will provide CIO’s and risk owners with the details that they
need to make an informed judgement on whether or not a risk is acceptable or if
further mitigation needs to be employed.
Page 3 of 6

Steve Simpson – Principal Consultant Infosec Plus Consulting

Conclusion
Throughout the three sections of this document set, you have established the extent
and quantity of the information assets that you have a responsibility to protect. You
have been able to assess the value of the information and where necessary
developed a labelling taxonomy to easily identify information assets of a similar value.
And finally in this document we have identified the threats that put our assets at risk.
As an organisation you now have much more control over the information assets you
own and for those on loan to you. The risk assessment process that follows will allow
you to implement the precise controls needed to maintain the confidentiality, integrity
and availability of that information. Because the risk assessment is so well informed
the targeting of controls can be specific and will therefore be the most cost effective
possible for your organisation.

Page 4 of 6

Steve Simpson – Principal Consultant Infosec Plus Consulting

 Page intentionally blank

Page 5 of 6

Steve Simpson – Principal Consultant Infosec Plus Consulting

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored,
vender neutral information security business advisory services. Services include:

 Data Loss Assessments – Data loss is a serious concern for all

organisations. Many organisations each year never manage to recover
from a security breach. Infosec Plus can provide you with assurance
through a holistic review of your business policies, processes and
procedures to establish where you may be susceptible to data loss
allowing you to establish where you may be susceptible to dat loss
allowing you to access the risks and apply targeted risk mitigation controls.
 Holistic Security Review – A holistic review of your organisations
information security including, technology, procedural, physical and
personnel security measures.
 Risk Assessment/Management – Assessing the risk from specific threats
will give you the ability to apply the most efficient and cost effective
security measures. The introduction of a risk management program can
considerably reduce operational costs.
 PCI Compliance Review – All organisations that store, process or transmit
credit card information must comply with the Payment Card Industries
Data Security Standard (PCI-DSS). Infosec Plus can guide you through
this process and provide you with the information you need to gain and
maintain compliance with this exacting standard.
 Security Awareness – The single most effective way to reduce data loss
and increase the security standing of your organisation is through the
introduction of a security awareness program. Infosec Plus can guide you
through the development of an awareness program and can provide one
to one or one to many training sessions to get the security message
across.
 Network Access Control – All organisations need to protect their valuable
business and personal data from the ever increasing need for system
interconnectivity. Infosec Plus can guide you through the process for
developing a Network Access Control policy that will allow day to day
business continue in the safest possible manner.
 Project Augmentation – If you are running or planning a project that needs
to include security representation, Infosec Plus can provide a consultant
to join your team providing expert security advice to ensure that the
project provides the security that your business information assets require.

Page 6 of 6

Steve Simpson – Principal Consultant Infosec Plus Consulting