|
Security Planning Protocol Step 2: Risk Analysis
Detailed Explanation for Phase 2
2-A. Identify Risks
Inventory your technology, data, & expertise*
- Systems: internal & external extensions
- Data: accuracy, integrity, security, privacy
- Physical plant
- People: staff, users, stakeholders
Measure potential impact of disruptive events
on organization if assets are…
- Disclosed
- Corrupted
- Taken out of service
* Asset-based approach draws on work done by Software Engineering Institute at Carnegie-Mellon University |
2-B. Assess Vulnerabilities & Threats
- Systems: weakness may be inherent, created during installation or configuration, caused by maintenance or patterns of ( mis)use, or by attacks
- Physical plant: exposure to power loss or spikes, floods or burst pipes, overheating or cold, vandalism or fire
- Organization: inadequate policies, training, or staffing
- People: accidental and intentional causes
|
2-C. Security Stress Tests
- Diagnostic tests: Periphery, Internals, Shared Spaces
- Operational Reviews
- User evaluation
- Architectural evaluation
Prioritize security gaps
Rank on impact, then probability
|
|
|
OUTCOME:
Security Project Description
A project description that includes goals, processes, resources, and decision-making standards.
|
|
| |
|
|
|
