by The Open University
Available in 39 free installments
Owner:
A hacker who threatens your organisation's information assets is taking advantage of vulnerabilities in the media and systems which handle them. Vulnerabilities and threats clearly go hand-in-hand: each threat is directed at a vulnerability.
The relationship between information assets, threats, vulnerabilities and existing defences is illustrated in Figure 5, which depicts an information asset that is only partially protected by the defences of the media and systems handling it. Some threats will be defeated by these defences, but other threats can take advantage of unprotected vulnerabilities and, in the worst case, compromise the information asset. The aim of an ISMS must be to identify and repair crucial vulnerabilities in media and systems. Figure 5 is adapted from a figure used in a course presented at Stevens Institute of Technology in 2003.
Figure 5 The relationship between information assets, threats, vulnerabilities and existing defencesLong description(a) Define the vulnerability of an information asset.
(b) For each of the following situations, describe the information asset, the medium or system which handles it, a possible threat to it, and a possible defence:
(i) a businessman riding his motorcycle to work and mulling over a new business idea;
(ii) a customer withdrawing money from a cash machine outside a bank;
(iii) a contractor digging holes near an organisation's communications cables;
(iv) a poorly trained IT support person working on a company database.
(a) A vulnerability is a weakness in the defences of an information asset.
(b) We thought of the following answers.
(i) The information asset is the new business idea, the medium is the businessman's memory, and the obvious threat is the businessman being hurt in a motorcycling accident. One possible defence against the threat would be a helmet; a policy of committing new ideas to paper would be a better safeguard.
(ii) The information asset is the customer's PIN, the medium is the keyboard used to enter the PIN into the cash machine, and one threat is that someone will see the PIN being entered. Possible defence includes shielding the keyboard from observers.
(iii) The information asset comprises the data that pass through the cables, the medium is the cables themselves, and a threat is the cutting of the cable. Possible defence includes the armour-shielding of cables and better maps of cable runs.
(iv) The asset is the information in the database, the system is the database itself, and a threat is that the employee's lack of training will lead to some sort of damage to the database, compromising the information it contains. One obvious defence would be to improve the IT support person's training.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
