Please can i have some guidance on the assest list specifically thinking about vulnerabilities and threats: it is quite unclear whether we are talking about threats from or to the listed assests e.g. in terms of the building as an assest the threats options seem to point to a threat to the building whereas further down for instance third part contractors or suppliers seem to be talking about the threat from the third party.
be gratefull for any help
Assign topic to the user
Please note that threats are always to the assets.
The logic in the asset-vulnerability-threat risk assessment approach is:
- first, you chose an asset that is important to the organization (it can be people, applications, information in physical or electronic form, equipment, infrastructure, or services)
- after that, you associate a vulnerability to the asset, i.e., a weakness inherent to the asset that can be exploited and compromise information-related confidentiality, integrity, and/or availability
- finally, you associate to the pair asset-vulnerability one or more threats, i.e., an agent that exploits the vulnerability and compromises the asset.
Considering that, when you are choosing the assets, you need to think of the elements in the list of assets as being the target of a threat. When you advance in the assessment and are choosing the threats, you need to think of the elements in the list of the trheats as being the agents that can compromise an asset.
In your example about contractors or suppliers, it seems you are considering that contractors or suppliers are the ones performing the options described in the list of threats (“… threat from the third party.”), when in fact you need to think as if they are suffering the action.
For example, in the risk: "Third-party services used over the Internet (e.g., SaaS) (Asset) - Cryptographic keys accessible to unauthorized persons (Vulnerability) - Malicious disclosure of passwords (Threat)”,you need to think that it is not the SaaS provider that is performing the malicious disclosure of passwords, but that is someone with access to the SaaS provider that is disclosing the passwords, so compromising its capability to protect confidentiality, integrity, and/or availability of the information under its responsibiltiy.
Comment as guest or Sign in
Jun 30, 2023