Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in Table 3-6.
TABLE 3-6 Risk management threat possibilities
| Confidentiality | Integrity | Availability |
| Theft of data by an internal employee | Accidental alteration of data by an internal user | Accidental damage or destruction of data by an internal user |
| Theft of data by an external intruder | Intentional alteration of data by an internal employee | Intentional damage or destruction of data by an internal user |
| Inadvertent disclosure of data | Intentional alteration of data by an external intruder | Intentional damage or destruction of data by an external intruder |
| Damage or destruction of data by a natural disaster |
The core of the risk management process is to anticipate potential threats in detail and use the information gathered earlier in the data, hardware, and user inventories to estimate the severity and likelihood of each threat. For example, the threat of the company’s client sales figures being disclosed when a traveling user misplaces their smartphone is far more likely than a competitor breaking into the company headquarters at night and hacking into a workstation to steal the same information. The severity of the threat in the two scenarios is the same, but the loss of a smartphone is the more likely occurrence, so administrators should expend a greater effort at mitigating that possibility.
In another example, a competitor’s burglary attempt might result in the theft of those same client sales figures; in another scenario, this same burglary attempt might cause deliberate damage to the company’s web servers, taking the company’s e-commerce site down for several days. The likelihood of these scenarios is roughly the same, but the web server damage is the far more severe threat because it interrupts the company’s income stream. Therefore, the more severe threat warrants a greater prevention attempt.
Microsoft 365 provides tools administrators can use to predict, detect, and respond to security threats. However, a comprehensive risk management plan goes beyond these types of tools and incorporates purchasing, hiring, building, and administration policies.
Updating the plan
Risk management is not a one-time event; it must be a continual process to be effective. Security threats continue to evolve rapidly, so the protection against them must also evolve. At least once a year, the risk management team should repeat the entire assessment process, updating the inventories of all the organization’s information, hardware, and human assets to ensure that no changes have occurred without the company’s knowledge. The team must update the threat severity and likelihood matrix as well. New or updated threats will require new security tools, procedures, and policies to protect against them.
In addition to the internal updates of the risk management plan, an organization might want to engage outside contractors to perform a vulnerability assessment, which evaluates the threats in an organization’s security infrastructure. Depending on the size of the organization and the current nature of its possible threats, a vulnerability assessment can be a minor and relatively inexpensive procedure or an elaborate and costly undertaking.
Some of the specific types of vulnerability assessments are as follows:
- Network scan Identifies avenues of possible threats through an internal network and Internet connections, including router, firewall, and virtual private network (VPN) configurations
- Wireless network scan Evaluates the organization’s Wi-Fi networks for vulnerabilities, including improper configuration, antenna placement, and rogue access points
- Host scan Identifies vulnerabilities in servers, workstations, and other network hosts, including port and service scans, configuration settings, and update histories
- Application scan Examines web servers and other Internet-accessible servers for software vulnerabilities and configuration issues
- Database scan Identifies database-specific threats in database servers and the databases themselves
Another possible method of assessing security vulnerabilities in an organization’s risk management system is performing a penetration test. A penetration test is a procedure in which an outside contractor is engaged to attempt an attack on the company’s systems to ascertain whether the potential vulnerabilities identified in the risk management process are actual vulnerabilities and to assess the organization’s response procedures.
Leave a Reply