I. Discuss Risk Assessment Procedures (P5)
I. Discuss Risk Assessment Procedures (P5)
- Threat:
A threat is any incident that could negatively affect an asset – for example, if it’s lost,
knocked offline or accessed by an unauthorised party.
Threats can be categorised as circumstances that compromise the confidentiality,
integrity or availability of an asset, and can either be intentional or accidental.
Intentional threats include things such as criminal hacking or a malicious insider stealing
information, whereas accidental threats generally involve employee error, a technical
malfunction or an event that causes physical damage, such as a fire or natural disaster.
Threats identification:
o Equipment malfunction
o Industrial espionage
o Interruption of business processes
o Loss of support services
o Maintenance errors
o Malicious code
o Phishing scams
o Sensitive data being compromised
o Social engineering
o Terrorism threat in the immediate vicinity or affecting nearby transport and
logistics
o Theft of equipment
o Theft of sensitive data
- Vulnerability
A vulnerability is an organisational flaw that can be exploited by a threat to destroy,
damage or compromise an asset.
You are most likely to encounter a vulnerability in your software, due to their
complexity and the frequency with which they are updated. These weaknesses, known
as bugs, can be used by criminal hackers to access to sensitive information.
Vulnerabilities don’t only refer to technological flaws, though. They can be physical
weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of
your premises, or poorly written (or non-existent) processes that could lead to
employees exposing information.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to
phishing emails; structural flaws in the premises, such as a leaky pipe near a power
outlet; and communication errors, such as employees’ sending information to the wrong
person.