For each of the assets on the schedule, it is now necessary to identify the possible vulnerabilities and the potential threats to the key business systems. There are a high number of threats, and the range of possible vulnerabilities is also substantial. The input of the trained information security expert is, at this point, invaluable. Threats tend to be external to the systems (but not neces- sarily to the organization). They include hostile outsiders such as hackers, non-hostile outsiders such as suppliers or cleaning contractors, and insiders, both the disaffected and the committed but careless, or even just the poorly trained. Vulnerabilities are security weaknesses in the existing systems, weaknesses that can be exploited by threats, or that allow one or more of the confidentiality, integrity and availability of the asset to be compromised, acci- dentally or otherwise.
It is necessary to consider the links between threats and vulnerabilities. An example might be cleaning contractors who inadvertently pick up (a minor threat, being the unintentional error of a third party) the only copy of an extremely confidential document off an executive’s desk (a minor vulnera- bility, the forgetfulness of an executive) in the ordinary course of cleaning, and dispose of it. At this point, only the availability of the data has been affected, and the repercussions might be minor, as it might be possible – if embarrassing and time-consuming – to recreate the document. However, once an industrial espionage operative rummaging through the waste sacks of the organization finds the document and makes it available to the organi- zation’s competitors, the confidentiality of the information will have been compromised and the cost to the organization of the security breach starts increasing dramatically.
A telephone system that crashes, losing all stored voicemail, could have a critical impact on any organization that relies on voicemail for sharing critical information; such an organization needs to have thought through how it will manage the security of these data.
Inevitably, the exercise to identify threats and vulnerabilities to the systems cannot be carried out without also identifying vulnerabilities in systems, and impacts on the organization, that are not necessarily threats to the availability, confidentiality or integrity of its information, but to which there is never- theless a significant cost. An example is in digital telephone systems that enable direct-line users to access their voicemail externally and to redirect calls. The evident threat to data confidentiality is that unauthorized users could access information stored in voicemail. If voicemails can be deleted externally, then there is the threat that unauthorized users might make infor- mation unavailable. In addition, an unauthorized user could be able to use the organization’s telephone number to forward calls to his or her own number anywhere else in the world, or even to dial from the extension to anywhere else in the world. One example of such a breach cost an organi- zation £25,000 in a single weekend of fraudulent activity. There was no threat, here, to information security; there was, however, a vulnerability in the system that was externally exploited at the expense, and to the potential repu- tational damage, of the organization. There is a paper on the NIST website (www.csrc.nist.gov) that deals with PABX security, and it might be worth reviewing it.
Essentially, threats for each of the systems should be considered under the headings of threats to confidentiality, to integrity and to availability. Some threats will fall under one heading only, others under more than one. It is important to have carried out this analysis systematically and comprehen- sively, to ensure that no threats are ignored or missed. The quality of the controls that the organization eventually implements will reflect the quality of this particular exercise.
A number of external threats might be classified under all three headings. A hacker might be able to steal confidential data and then disrupt the infor- mation system so that data are no longer available or, if they are, they are corrupted. A virus can affect not only the integrity and availability of data but also, because it could mail out a copy of an address book, confidentiality as well. A business interruption, such as a fire in the server room or a filing cabinet, is likely to affect the availability and integrity of information.
Similarly, what is likely to be a threat to one system is not necessarily a threat to another. For example, a fire in the server room is a threat to a number of systems based there, but is unlikely to be a threat to an organization’s mobile phone network.
The standard, at clause 5.1.f, requires management to determine the acceptable level of risk, and this was previously discussed in Chapter 5 and earlier in this chapter.
The penultimate step is to assess the probability or likelihood of each impact occurring and to plot this assessment on to a risk level matrix for each impact. The probabilities that might be used are:
Negligible Unlikely; less than once every five years
Very low Likely to occur less frequently than once per year but more frequently than once every 5 years
Low Likely to occur more than once every year but less than once every six months
Medium Likely to occur more than once every six months but less than once every month
High Likely to occur more than once every month but less than once every week
Very high Likely to occur more than once every week but less than once every day
Extreme Likely to occur at least daily
The final step in this exercise is to transfer the risk level assessment for each impact to the asset and risk log. We suggest that three levels of risk are usually adequate: low, moderate and high. Where the likely impact is low and the probability is also low, then the risk level could be considered low; where the impact is at least high and the probability is also at least high, then the risk level would be high; anything between these two measures would be classed as moderate. However, every organization has to decide for itself what it wants to set as the thresholds for categorizing each potential impact, and from time to time it may be helpful to have four or more risk levels in order to prioritize action better.