Guest
Is it a fairly standard procedure, when considering risk assessment to follow this idea:
List all the assets which will include buildings, Servers, Networks, HR data, payroll data, Pension data, training records etc
Apply a standard set of threats to each and every asset regardless of whether it's a physical asset or an information asset (e.g. Environmental, deliberate external asset compromise, deliberate internal, accidental internal, loss of staff etc.) (In this example we'd apply the 5 threats to each asset to generate the risks i.e. the 7 assets listed would yield 35 Risks
Score the risks and generate the treatment plan
Is it overkill to least each data type? Should we just list the threats against the 3 or 4 data classification types as well as the physical assets.
Any advice greatly appreciated.