Impact level in specification of security requirements
In which document is my question: "Specification of safety requirements“
In which area: "Impact level according to the risk assessment:“
Question:
In our risk assessment table, we didn’t list each information system, we worked with categories like "application software" or "workstations“. Information systems can occur in both categories. Both categories have multiple threats, vulnerabilities, and therefore impact levels. In this case, how is it possible to determine the impact level of the individual information system in the "Specification of security requirements“ based on the risk assessment table?"
Assign topic to the user
In this case, you have two options:
1 - Use the worst-case scenario for impact considering the threats and vulnerabilities in the category that is closest to the specific information system you want to determine the impact level for. For example, if you have a pair of threat and vulnerability with the highest level of risk and this one can be related to your specific information system, you use it as specification.
2 - Add this individual information system as a specific asset and identify specific threats and vulnerabilities for this information system and use them as specification of security requirements.
Please note that one criterion to choose the proper approach will depend on the criticality of these individual systems (the more critical, the more important is that this asset is considered individually instead of as part of a group). It will also depend on the type of risks related to the categories you have (sometimes useful risks can be identified from these general categories and you do not have to work on a specific asset).
Comment as guest or Sign in
Oct 29, 2019