Thanks for the reply! Just to make sure I understand, my risk identification would look like the following, with these broader organizational risks identified and repeated for each asset?
Asset Threat Vulnerability
Database Accidental-Privileged User Lack of Change Management
Database Accidental-Privileged User Lack of Security Incident Process
Database Adversarial-Insider Lack of HR Screening Process
Windows Server Accidental-Privileged User Lack of Change Management
Windows Server Accidental-Privileged User Lack of Security Incident Process
Windows Server Adversarial-Insider Lack of HR Screening Process
Answer:
Yes, you are in the right way, although from my point of view the threat Adversarial-Insider could be also related with the vulnerability Lack of Information Security Awareness.
Finally, this free webinar can be interesting for you The basics of risk assessment and treatment according to ISO 27001 : https://ad visera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Jan 12, 2016