Upload
gareth-niblett
View
96
Download
2
Embed Size (px)
Citation preview
So what is risk, especially relating to IT and information? Simply, it is the intersec-tion of assets, threats and vulnerabilities, although things are rarely simple.
To provide a basis for risk management prioritisation, some will try and make qualitative or quantitative calculations, using whatever data is at hand, although frequently end up with little more than educated guesses.
AssetsThese are the things you value and may wish to try and protect, including people,
property (tangible and intangible), information and data. This includes your reputation, proprietary information, databases, code, sensitive records, equipment and services. All assets can be assigned a value and this can help inform the effort you make in protecting them, if they are under your control.
ThreatsThese are the things that might affect your assets, exploiting a vulnerability (accidentally or intentionally), to access, change, damage or destroy them.
The threats may range from non-malicious staff stumbling over a flaw, through to highly resourced and motivated state actors intentionally targeting assets and creating or exploiting weaknesses to effect undetected access.
VulnerabilitiesThese are weaknesses that a threat can exploit to compromise an asset. They can be at the people, processes or technology level and the intent of the person, process
INFORMATION SECURITY
or program exploiting a flaw to gain unauthorised access to an asset is irrelevant to the vulnerability. Most of these are down to software coding errors, and lack of analysis and testing, although some are deliberate and insidious.
Risk needs to be managed within acceptable limits, and understanding your assets, threats and vulnerabilities is a necessary first step.
www.bcs.org/security
Gareth Niblett, Chairman of the BCS Information Security Specialist Group, examines risk and how we can deal with it.
Information Security Specialist Group (ISSG):www.bcs-issg.org.uk
Information Risk Management and Assurance Specialist Group:www.bcs.org/groups/irma
BCS Security Community of Expertise (SCoE):www.bcs.org/securitycommunity
FURTHER INFORMATION
THE RISK BUSINESS
doi:1
0.10
93/i
tnow
/bw
u041
©20
14 T
he B
ritis
h Co
mpu
ter
Soci
ety
Imag
e: D
igita
l Vis
ion/
dv61
7043
24 ITNOW June 2014
Are you ready for the next wave of computing?Our Next Wave whitepaper series examines the technological trends set to impact business and the skills of the workforce.
bcs.org/nextwave
BC81
0/LD
/AD/
0514
© BCS, The Chartered Institute for IT, is the business name of The British Computer Society (Registered charity no. 292786) 2014
Next
BC810_ld_ad_itnow_fp_ma.qxp 12/05/2014 16:17 Page 1