The process of threat risk assessment can be used to determine risk that is related to any corporate or personal asset, but it is generally considered an information technology process. The following security criteria should be met:
- Confidentiality: Information must be protected from unauthorized disclosure.
- Integrity: The information should be shielded from improper modification.
- Availability: The information should be protected from denial of service or destruction.
- Acceptable use: The information must be used for business purposes. An authorized individual can still use information in an inappropriate way to harm the company through loss of availability, integrity, and confidentiality.
Recommended security controls are:
- Administrative: This includes management security policies, organizational structure, administrative directives, operational methods, and assigned responsibilities.
- Physical: This is environmental and business security including supervision involving guards, receptionists, and continuous staffing.
- Logical: Logical security control is technical protection that includes computer software, hardware, and firmware. Some examples are encryption procedures, access control methods, authentication and identification mechanisms, and software for intrusion detection.
Analyze the information assets in conjunction with potential risks and vulnerabilities for determining future events. Steps to threat risk assessment are:
- Characterization of information
- Identification of threat
- Identification of vulnerability
- Analysis of safeguards
- Determination of likelihood
- Analysis of impact
- Determination of risk
- Recommendation of safeguard
- Documentation of results
There are different outputs and inputs in each of these steps. Conducting a systematic threat risk assessment is the first step on the road to information protection.