Finally, we are getting to the point where can analyse risks and act accordingly. This note is about identifying risks, rate them and implement countermeasures for prevention (or not).

Risk analysis

Before you or your organization is able to analyse any risk, you should declare responsibilities for several actions you need to take during a review. Initializing a risk analysis requires the IT security officer, the risk manager of an organizational unit, the ICT Manager and a user of the system. You are then creating a whole project plan with methods, timeline and required resources.

As soon as this is done you need to delimit your systems. You need to know what the scope and the boundaries of the assessment will be and want to make sure you don't exceed those.

Next, identify data that need to be protected by internal and external requirements. Those could be data related to an individual or sensitive business data. These can then be used to identify vulnerabilities and assess their protection objectives. When vulnerabilities are identified you are able to define threat vectors and categorize them.
Minor: The damage is limited not crucial.
Medium: The damage is considerable and could harm the organization
Major: The damage is an existential threat to the organization

Note: Within the BIA (business impact analysis) you are able to conduct a process-oriented analysis

Determine protection needs

The first step to successfully evaluate protection needs is a proper network plan with all components of the network (eg. routers, firewalls, switches, servers, clients and printers). Describe them as detailed as possible with IP addresses or ranges, functions, names, location and operating systems. This lowers the complexity of the analysis and you easily are able to group the systems. For the assessment you need to follow the following steps:

  1. List the systems
  2. List the critical business data (eg. employee data, credentials, document management)
  3. Compare the system components with the list of critical business data
  4. Define the protection objective (CIA), protection needs and the reason for each application
  5. Define the protection objective (CIA), protection needs and the reason for each system component
  6. Also rate the communication channels rate them (again CIA) and provide reasons
  7. Define the protection needs for locations and rooms that contain data or system components
Last modified: September 11, 2020

Author

Comments

Write a Reply or Comment

Your email address will not be published.