|
|
|
|
| |
Security Planning Protocol Step 2: Risk Analysis
|
2-A. Identify Risks
Inventory your technology, data, & expertise*
- Systems: internal & external extensions
- Data: accuracy, integrity, security, privacy
- Physical plant
- People: staff, users, stakeholders
Measure potential impact of disruptive events
on organization if assets areā¦
- Disclosed
- Corrupted
- Taken out of service
* Asset-based approach draws on work done by Software Engineering Institute at Carnegie-Mellon University
*
|
|
2-B. Assess Vulnerabilities & Threats
- Systems:
weakness may be inherent, created during installation or configuration,
caused by maintenance or patterns of ( mis)use, or by attacks
- Physical plant: exposure to power loss or spikes, floods or burst pipes, overheating or cold, vandalism or fire
- Organization: inadequate policies, training, or staffing
- People: accidental and intentional causes
|
|
2-C. Security Stress Tests
- Diagnostic tests: Periphery, Internals, Shared Spaces
- Operational Reviews
- User evaluation
- Architectural evaluation
Prioritize security gaps
Rank on impact, then probability
*
|
 |
OUTCOME:
Security Project Description
A project description that includes goals, processes, resources, and decision-making standards.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|