the impact of disclosure of confidential information can be of var ious types

The impact of disclosure of confidential information

This preview shows page 57 - 59 out of 123 pages.

= the impact of disclosure of confidential information; can be of var- ious types: Embarrassment (exposes the inappropriate behavior company man- agement), Competitive advantage (loss of CA due to exposure), Legal/regulatory (cost of law violations) or General (other losses related to data sensitivity) Volume or quantity of the asset 2. Threat loss factors: Competence as the amount of damage threat agent is able to inflict Action of the Threat Agent on the Asset: Access (read the data without proper authorization) Misuse (use the asset without authorization and or differently form the intended usage) Disclose (the agent let other people to access the data) Modify (data or configuration modification) Deny access (preventing legitimate intended users from accessing the asset) Internal vs. External threat agent affiliation 3. Organizational Loss Factors: Timing of the attack Due Diligence undertaken by the organization 0000000 Current Established Risk Assessment Methodologies and Tools Page 57
Image of page 57
Response of the organization with regard to: Containment (the ability to limit breadth and depth of an event) Remediation (the ability to remove threat agent) Recovery (the ability to bring things back to normal) Detection: of the threat in due time 4. External Loss Factors: Detection of the event by external entities Legal / Regulatory fines or judgments imposed by regulation, contract law or case law Competitors taking advantage of the situation Media reaction Stakeholders taking their business elsewhere A complete overview of the decomposition of Risk as proposed by the FAIR taxonomy is visible in Figure 4.1 on page 59 . One notable difference between FAIR and most other conceptual models is that FAIR views "Vulner- ability" as a probability (that the force applied by the threat exceeds the strength of the available controls" instead of "a weakness that may be exploited". In FAIR, the weakness is defined as a "Potential Vulner- ability", with the actual Vulnerability being dependent on the particular Threat and it’s capabilities. 4.2.3 ISO/IEC 13335-1:2004 Concepts and models for information and commu- nications technology security management The standard’s full title is ISO/IEC 13335-1:2004 Information technology – Security techniques – Man- agement of information and communications technology security – Part 1: Concepts and models for information and communications technology security management . According to it’s abstract "ISO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security. Part 2 of ISO/IEC 13335 provides operational guidance on ICT security. Together these parts can be used to help identify and manage all aspects of ICT security." [ 1 ]. In this section, however, we will focus on Part 1 as it is dedicated to discussing useful concepts and models for managing and planning IT Security. Furthermore, Part 2 as a standalone document has since been made obsolete.
Image of page 58
Image of page 59

You've reached the end of your free preview.

Want to read all 123 pages?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture