To answer this question, we are best served in attacking it from both an internal and an external perspective. In other words, we want to know what a client's most sensitive or highest-value information assets are from their perspective as well as what types of threats are out there that could place those assets in jeopardy. This is a risk-based approach.
One often overlooked detail is that the goal should be to determine both the most likely and the most dangerous scenarios for the organization. These two are seldom the same, as the priorities of a bad actor targeting an organization -- what he thinks is valuable -- often will be different from what the organization sees as valuable.
Think of the person whose home is broken into and ransacked and comes home to find that $25,000 in cash has been stolen. However, the person might actually be relieved when looking around, because she finds that his three original paintings, valued at $100,000+ each, were untouched. Or perhaps his biggest worry on finding he'd been robbed was the draft of his patent application sitting out on his desk. He believes that it is worth millions and will make him rich soon, and the loss of a few thousand in cash is a mere annoyance by contrast. Perhaps the burglar didn't know it was there, perhaps he didn't realize its value, or perhaps he did and just wasn't interested in the effort required to monetize something of no immediate value to him.
So it's important to identify the priority targets from both perspectives, as well as to ensure that the client does not undervalue risks that are not the nearest and dearest to their heart. For instance, it is common for organizations to undervalue the risk to their reputation in a breach that might not compromise or destroy anything of tangible value.
From datadrivensecurity.info: Top 10 Threat Actions by Industry:
http://www.isaca.org/Knowledge-Center/Research/Pages/AdvancedPersistentThreatsAreReal-ml.aspx
Great Article
ReplyDeleteIEEE Projects on Information Security
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
Online casino BGAOC big winnings and lots of lucky games are waiting for you. all slot machine games successful do not wait, make your luck smile to you.
ReplyDeleteThis blog is very interesting and I really like your post. Keep doing...
ReplyDeleteOracle DBA Course in Chennai
oracle dba training institutes in chennai
Pega Training in Chennai
Linux Training in Chennai
Unix Training in Chennai
Advanced Excel Training in Chennai
Placement Training in Chennai
Soft Skills Training in Chennai
JMeter Training in Chennai
Graphic Design Courses in Chennai
Oracle DBA Training in Anna Nagar