Prerequisite: what is BSI Handbook, What Risk Assessment, Template for Threat Risk Assessment (TRA)
+difficult to understand the business processes. For example,
>how many departments needed and what are they
>how they cooperate along with each other
>what the input and output of each department are
>how the transferring processes of information between departments happen (manual or electronically)
+difficult to capture and represent information in a logical way. For example,
>what the means used to carry information, is it in the information system electronically or it’s kept manually
>how to describe the information assets so we can make sense out of them when we come back later all. The reason why it bothers is we have multiple assets with the same name or nearly identical name but with different meaning. Therefore, it’s sometimes a challenge when we want to go back or put reference to them
>information asset has many-to-many relationship with threat à how to store the relationship so that we can query them on the fly. If, for example, we got an information asset, we want to know how many threats can be applied on it and vice versa.
>should we relate a threat with another information asset by using the ID number of the information asset or using its descriptive name? which one is more helpful in understanding?
>we don’t know exactly what can happen along with the possible impacts. Even though we put much effort in creating a detailed threat risk assessment, they will change with the growth of our company. So when the threats become true, the impact we can measure at that time can be far different from what we recorded. The reasons can be 1) our analysis was wrong 2) the context has changed, therefore the possible impacts also changed
>we don’t have all the information in place: 1) the company culture was not so well organised that all the useful information can be appropriately saved for future uses 2) processes are not well established so there are no certain scheme for the usage of data or information à hidden information
+lack of context
>is an information asset useful and critical when considering if it were exposed to competitors? à requires knowledge in that specific industry
>is an information asset useful to customers? To what extent we should expose that information asset? Can the customer have full access to the information? à we need to research what other companies are doing and how they are doing that.
+how important and critical the information assets are
>we have to brainstorm and analyse with “what-if” questions
>which one needed to be introduced to clients
>and which one needed to be hidden or secured for internal use
+how to cope with the expansion of information assets when identifying them
>how to keep track all of them
>which ones are really information assets
>some information assets don’t exist naturally but logically in the employees’ understanding. What are they? And how to get them? à need to understand the business and its scope
+what approach to be used in order to fully address all the possible threats
>what if questions
>BSI handbook and so on
>where they can occur and how
>what triggers them
>how to measure the impact by using dollar terms
The reason is after we finish off, we need to submit a report regarding this to the CFO. In other words, we need to give a report to business people and what they can understand is monetary things.
>what can happen
>how to know the political impact à market analysis to see other competitors
>how to measure the frequency
>what is the maximum loss that can happen
>what kind of controls needed? Preventive or corrective?
>how much it costs to carry out the control
>whether the benefits really outweigh the impacts of threats
>whether it’s suitable for the users or not
*considering the users’ physical ability
*considering the complexity of the controls