by The Open University
Available in 39 free installments
Owner:
In Section 4 of this unit you learned of the immense value of information to modern organisations. However, without a storage medium of some kind ? paper, a hard disk, a white board, a human memory ? information is entirely ephemeral. Once recorded in a medium, though, information endures and can be manipulated; but it also becomes subject to the vulnerabilities of that medium and of the systems that access that medium. And once there are vulnerabilities, there are threats to the security of the information.
In this subsection, we look at how we can develop a systematic approach to assessing the risk of different threats to the security of information assets by analysing the vulnerabilities of the media and systems used to store and manipulate the assets and by estimating the likelihoods of the threats. We shall see how this information can be combined with an evaluation of the impact on an organisation of each security breach to provide a risk assessment for each threat to an information asset.
Study Reading 5 (linked below), the section from the Introduction to Part 1 of the Standard entitled ‘How to establish security requirements?. How does the Standard define risk assessment? What concepts underpin this definition?
Click below to open Reading 5 (0.1 MB).
View documentThe extract defines the notion of risk assessment for information security assets as the process in which ‘threats to assets are identified, vulnerability to and likelihood of occurrence [are] evaluated and potential impact is estimated?. So risk assessment is defined in terms of the concepts of threat, vulnerability, likelihood and impact.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
