3.Risk Identification Flashcards
Identification Of Assets
Input
Scope and boundaries for the risk assessment to be conducted, list of constituents with owners, location, function, etc.
Action
The assets within the established scope should be identified.
Implementation guidance
An asset is anything that has value to the organization and which, therefore, requires protection. Asset identification should be performed at a suitable level of detail that provides sufficient information for the risk assessment.
The level of detail used on the asset identification influences the overall amount of information collected during the risk assessment. The level can be refined in further iterations of the risk assessment.
An asset owner should be identified for each asset, to provide responsibility and accountability for the asset.
Output
A list of assets to be risk-managed, and a list of business processes related to assets and their relevance.
Identification Of Threats
Input
Information on threats obtained from incident reviewing, asset owners, users and other sources, including external threat catalogues.
Action
Threats and their sources should be identified.
Implementation guidance
A threat has the potential to harm assets such as information, processes and systems and, therefore, organizations. Threats can be of natural or human origin, and can be accidental or deliberate. Both accidental and deliberate threat sources should be identified.
A threat can arise from within or from outside the organization.
Output
A list of threats with the identification of threat type and source.
Identification of existing Controls
input
Documentation of controls, risk treatment implementation plans.
Action
Existing and planned controls should be identified.
Implementation guidance
Identification of existing controls should be made to avoid unnecessary work or cost, e.g. in the duplication of controls.
In addition, while identifying the existing controls, a check should be made to
ensure that the controls are working correctly — a reference to already existing ISMS audit reports should limit the time expended in this task.
If a control does not work as expected, this can cause vulnerabilities.
An existing or planned control can be identified as ineffective, or not sufficient, or not justified.
Output
A list of all existing and planned controls, their implementation and usage status.
Identification Of Vulnerabilities
input
A list of known threats, lists of assets and existing controls.
Action
Vulnerabilities that can be exploited by threats to cause harm to assets or to the organization should be identified.
Implementation guidance:
Vulnerabilities can be identified in following areas: — organization; — processes and procedures; — management routines; — personnel; — physical environment; — information system configuration; — hardware, software or communications equipment; — dependence on external parties.
The presence of a vulnerability does not cause harm in itself, as there needs to be a threat present to exploit it. And can be found in physical environment, personnel, hardware, software and organization.