8/14/2019 Information Asset Management Part 3

1/6

Information Asset Management

Part 3

Identifying Threats to Assets

Steve Simpson CISSP

8/14/2019 Information Asset Management Part 3

2/6

Page 2 of 6

Steve Simpson Principal Consultant Infosec Plus Consulting

Identifying threats to Information Assets

Introduction

OK, so we have identified all the information assets within the organisation and haveassociated impact values to those assets. What do we need to do now in order tobring the organisation to a level where it can perform a risk assessment on itsvaluable information assets?

In order to assess risk we need to establish what threats are posing risks for ourinformation assets.

What is a threat?

A threat is a scenario or event which, if occurred would result in the loss,damage or compromise of an asset.

Identifying the threats

Like our previous stages, the identification of the threats to our assets is bestachieved through collaborative process including representatives of the differentorganisational departments and asset owners. Each of these representatives is likelyto have a clear idea of what they consider to be the greatest threat to theirinformation assets. Each of these identified threats needs to be documented so thatat the end of the process the nominator of each can be assured that their concernsare being addressed.

Types of threat

When establishing the threats to your information assets, the following types of threatneed to be considered.

Technical threats The use of technological means to circumvent establishedsecurity. This group includes all the possible electronic type attacks such aseavesdropping, hacking, virus/Trojan activity and misuse of computing facilities.Threats that fall into this grouping must be considered in both malicious andaccidental form for example:

o The accidental mis-configuration of system access rights could resultin the compromise of sensitive information. Or.

o System user deliberately copies business information to thumb drivefor use after leaving the organisation.

Personnel threats Persons internal or external to the organisation posing athreat to information assets. This group of threats will include disgruntledemployees, site visitors and social engineering type attacks. Also include thethreat of losing personnel key to the running of the business. Again, we need tolook at both the malicious and accidental possibilities of this type of threat. Do notforget to consider those indispensable persons that we highlighted during ouridentifying assets stage as having valuable information assets in their heads.The threat of losing one of these persons to the organisation by whatever means,

needs to be considered, in order for a risk mitigation strategy to be established.

8/14/2019 Information Asset Management Part 3

3/6

Page 3 of 6

Steve Simpson Principal Consultant Infosec Plus Consulting

Natural threats Natural occurrences that pose a threat to information assets.Earthquakes, floods, fire and lightning strike can all be a threat to informationassets. It is very worthwhile involving the individual or team that is responsiblewithin your organisation for business continuity and disaster recovery as they willhave already documented some specific threats to your organisation. They will

have specifically documented such threats as natural disasters and localisedexternal threats. With natural threats it is not necessary to consider maliciousthreats.

The goal of this stage in the process is to have a documented list of hopefully nomore than around 20 threat scenarios. These scenarios should between them coverthe concerns of all of the asset owners and departmental representatives. To achievea list this short requires the grouping of all concerns into generic threats. Forexample:

Concerns that data could be removed using a removable DVD writer, and concernsthat information could be copied to a USB flash drive for removal can (if agreed by allparties) be grouped into a threat such as:

The deliberate removal of information assets via removable media means.

Or

Concerns that users may take it upon themselves to upgrade the software on theirterminals without approval or having the vulnerabilities of that software assessed,and concerns that users could download and install additional utility software or evengames from outside the organisation on to their terminals can be grouped into athreat such as:

The introduction or substitution of unauthorised software.

Through the repeating of this process, it should be possible to establish the

necessary list of identified threats.

Additional threats

In addition to the standard threats and concerns of the members of the differentdepartments, it is important to gain a holistic view of the system. There is a need totry and mentally step out of the organisation and attempt to visualise it from above asif it were a 2 dimensional object. Examine where information comes into or leaves theorganisation, what are the processes that the information follows? This is where it isreally useful to have a good security consultant on call; from an independentviewpoint it is possible for the consultant to identify threats that may not have been

obvious to those within the organisation.

Preparation for risk Assessment

For the final stage of preparations in order for the security risk assessment to takeplace your security consultant needs to establish the potential attack groups for thethreats and match the threats to the asset groups. Then with the impact levelsalready established during the second stage of this piece of work the probability ofthe likelihood of the threats being realised can be assessed and used to perform aquantities calculation on the risks posed to each asset group. The entire process forthe risk assessment needs to be documented and retained for future reference. The

resulting documentation will provide CIOs and risk owners with the details that theyneed to make an informed judgement on whether or not a risk is acceptable or iffurther mitigation needs to be employed.

8/14/2019 Information Asset Management Part 3

4/6

Page 4 of 6

Steve Simpson Principal Consultant Infosec Plus Consulting

Conclusion

Throughout the three sections of this document set, you have established the extentand quantity of the information assets that you have a responsibility to protect. You

have been able to assess the value of the information and where necessarydeveloped a labelling taxonomy to easily identify information assets of a similar value.And finally in this document we have identified the threats that put our assets at risk.

As an organisation you now have much more control over the information assets youown and for those on loan to you. The risk assessment process that follows will allowyou to implement the precise controls needed to maintain the confidentiality, integrityand availability of that information. Because the risk assessment is so well informedthe targeting of controls can be specific and will therefore be the most cost effectivepossible for your organisation.

8/14/2019 Information Asset Management Part 3

5/6

Page 5 of 6

Steve Simpson Principal Consultant Infosec Plus Consulting

Page intentionally blank

8/14/2019 Information Asset Management Part 3

6/6

Page 6 of 6

Steve Simpson Principal Consultant Infosec Plus Consulting

Based in Perth, Western Australia, Infosec Plus Consulting is able to provide tailored,vender neutral information security business advisory services. Services include:

Data Loss Assessments Data loss is a serious concern for allorganisations. Many organisations each year never manage to recoverfrom a security breach. Infosec Plus can provide you with assurancethrough a holistic review of your business policies, processes andprocedures to establish where you may be susceptible to data lossallowing you to establish where you may be susceptible to dat lossallowing you to access the risks and apply targeted risk mitigation controls.

Holistic Security Review A holistic review of your organisationsinformation security including, technology, procedural, physical and

personnel security measures.

Risk Assessment/Management Assessing the risk from specific threatswill give you the ability to apply the most efficient and cost effectivesecurity measures. The introduction of a risk management program canconsiderably reduce operational costs.

PCI Compliance Review All organisations that store, process or transmitcredit card information must comply with the Payment Card IndustriesData Security Standard (PCI-DSS). Infosec Plus can guide you throughthis process and provide you with the information you need to gain andmaintain compliance with this exacting standard.

Security Awareness The single most effective way to reduce data lossand increase the security standing of your organisation is through theintroduction of a security awareness program. Infosec Plus can guide youthrough the development of an awareness program and can provide oneto one or one to many training sessions to get the security messageacross.

Network Access Control All organisations need to protect their valuablebusiness and personal data from the ever increasing need for systeminterconnectivity. Infosec Plus can guide you through the process fordeveloping a Network Access Control policy that will allow day to daybusiness continue in the safest possible manner.

Project Augmentation If you are running or planning a project that needsto include security representation, Infosec Plus can provide a consultantto join your team providing expert security advice to ensure that theproject provides the security that your business information assets require.