Learn more at [ Ссылка ]

To understand risk, you have to understand threat and vulnerability. A business risk results from significant conditions, events, circumstances, actions, or inactions that could adversely affect your company’s ability to achieve its objectives and execute strategies. Risk is a condition that results when vulnerabilities and threats act upon critical assets. We like to use the formula “Vulnerability x Threat = Risk” to demonstrate this. So, what is threat and vulnerability?

A threat is a potential event that could take advantage of your protected asset’s flaws and results in the loss of your security’s confidentiality, integrity, and/or availability (C-I-A). Threats results in non-desirable performance of critical assets. There’s always a potential flaw that could be exposed. When a threat is identified, think about the way it could affect the triad of security: integrity, availability, and confidentiality.

Think about this scenario: Your organization is storing box of hard-copy, paper patient records. The sprinklers in your building go off, and the records as soaked. You have to hire a company to come in and dry out the records and restore them to a readable state. What security losses have you had? Availability, but also the loss of integrity because the data is lost. It hasn’t been stolen, so there’s no loss of confidentiality, but the data’s not usable because of water damage. We can’t have the full triad of security if we can’t use the asset for the purpose it was intended.

Next, let’s think about the three types of threats. What are the natural threats? This could be anything like floods, earthquakes, or hurricanes. What are man-made threats to the assets we’re trying to protect? Man-made threats are categorized as intentional, deliberate, or accidental. Could your asset be affected by environmental threat such as power failure, pollution, chemical damage, or water damage?

A vulnerability is a known or unknown flaw or weakness in an asset that could result in the loss of the asset’s integrity, availability, and/or confidentiality. An internal vulnerability could be a lack of security awareness training or no documentation for a critical process. Let’s go back to our paper records scenario. The flaws would be the fact that the print can fade over time, so it could be unusable in the future, or the fact that it has a finite location, so if it’s ever lost, that information is gone.

Threat identification and vulnerability identification are both part of a risk assessment. Once you’ve identified your threats and vulnerabilities, you’ll be able to determine how to mitigate the negative impact of potential threats and vulnerabilities. Controls that you put into place should be based on an assessment of risk.

More Free Threat & Vulnerability Resources:
[ Ссылка ]
[ Ссылка ]

Stay Connected
Twitter: [ Ссылка ]
LinkedIn: [ Ссылка ]
Facebook: [ Ссылка ]

Blog: [ Ссылка ]
Webinars: [ Ссылка ]
Videos: [ Ссылка ]
White Papers: [ Ссылка ]

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.

For more about KirkpatrickPrice: [ Ссылка ]
Contact us today: 800-770-2701 [ Ссылка ]

свернуть