When coming up with a security plan, it's crucial to take an inventory of your information assets and ensure you are protecting each one according to its net worth. While that may sound simple, it's actually a complex process that should involve managers from throughout your organization.
Clint Kreitner, CEO of the non-profit Center for Internet Security, used his keynote presentation at the recent E-Security Conference and Expo in Boston in part to highlight a methodology for conducting such an inventory and the risk analysis that follows. The methodology he cited was developed at Virginia Tech University for its own use. But Kreitner said it is one of the better methodologies he has seen and can be adapted to fit the needs of most any organization.
Virginia Tech recommends conducting the analysis on a departmental level, with input from all team members. On a larger, organization-wide level, the same process could be employed with representatives from each department within the organization.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iThe first step is to have the team identify all its information assets, including hardware, software, computer systems, services, and any other related technology assets. List the assets in a spreadsheet, then have the team weight them in terms of importance, using terms such as critical, essential and normal.
Next identify risks to those assets, meaning ways in which they could be damaged, stolen, made unavailable or otherwise compromised. The IS team could start with a list of its own but have each department tailor the risk as necessary, adding or deleting items specific to that department. Risks include everything from service interruptions to IP address forgery.
Virginia Tech also recommends ranking the risks, putting those with the potential to affect the largest number of highest-ranking assets at the top of the list. The University offers an Excel spreadsheet template to aid in this process.
Another spreadsheet is used to map the list of assets to the list of risks. Multiplying the assigned ranking for each risk by the ranking of each asset will make clear where your most serious risks lie.
It is then time to consider the probability of each risk coming to fruition before mapping out which items need to be addressed immediately and which may be put on the back burner.
More information on this process, including the templates mentioned above, can be found at http://www.security.vt.edu/playitsafe under the Risk Analysis section.