Hi,
I have very limited time to conduct risk assessments - usually no more than an hour at most. I think it is important to hold a face-to-face consultation to capture the initial info then follow-up by e-mail for further details to cover the inevitable gaps.
How can I make the best use of the F2F time I have - what are the right questions to be asking when using a basic asset-threat-vulnerability methodology?
I appreciate this will be subjective and depends on lots of other factors - I'm just looking for a general approach at this point.
Thanks,
Brian.
Assign topic to the user
First is important to note that not all persons will give you direct answers about assets, threats, and vulnerabilities. This is because of their backgrounds (e.g., technical or non-technical), and knowledge about information security.
Broadly speaking, you should consider at least these questions to identify assets:
- which information you have to deliver? To whom? (this last question will help direct you to the next person you should talk to)
- which information you need to do your work? From whom? (this last question will help you map if all relevant persons were already covered)
- which resources you need to work on? (depending on the role of the person this can lead to general answers, like information system abc, or to a detailed list of assets)
For identification of threats and vulnerabilities, you should consider these questions:
- In your opinion, what can negatively affect the information and resources you mentioned? And why?
In short, the questions have to be focused on the context of the interviewed and form their answer you have to mine the assets, threats, and vulnerabilities.
As a support tool, if you have experience and knowledge about the process involved, it is to build a checklist with the most common answers and try to validate them with the interviewed.
Comment as guest or Sign in
Apr 17, 2020