Guest user Created: Oct 29, 2019 Last commented: Oct 29, 2019

Impact level in specification of security requirements

In which document is my question: "Specification of safety requirements“
In which area: "Impact level according to the risk assessment:“

Question:
In our risk assessment table, we didn’t list each information system, we worked with categories like "application software" or "workstations“. Information systems can occur in both categories. Both categories have multiple threats, vulnerabilities, and therefore impact levels. In this case, how is it possible to determine the impact level of the individual information system in the "Specification of security requirements“ based on the risk assessment table?"

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Oct 29, 2019

In this case, you have two options:

1 - Use the worst-case scenario for impact considering the threats and vulnerabilities in the category that is closest to the specific information system you want to determine the impact level for. For example, if you have a pair of threat and vulnerability with the highest level of risk and this one can be related to your specific information system, you use it as specification.

2 - Add this individual information system as a specific asset and identify specific threats and vulnerabilities for this information system and use them as specification of security requirements.

Please note that one criterion to choose the proper approach will depend on the criticality of these individual systems (the more critical, the more important is that this asset is considered individually instead of as part of a group). It will also depend on the type of risks related to the categories you have (sometimes useful risks can be identified from these general categories and you do not have to work on a specific asset).

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Oct 29, 2019

Expert Advice Community