SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

Risks identification and treatment

  Quote
Guest
Guest user Created:   Dec 08, 2016 Last commented:   Dec 08, 2016

Risks identification and treatment

Considering this example: we are having our own server (in-house), but we are also using external technical support for patches and incident management by providing remote access. How to best address the problem of unauthorized access to data, potential breach of data protection, breach of confidentiality?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 08, 2016

Asset: server 1 (internal), threat: fire, system failure, unauthorized access to information, breach of data protection, OR;
Asset: external supplier (technical support), threat: unauthorized access to information, breach of data protection (due to remote access)

Answer: In fact both your approaches are correct. By addressing the unauthorized access to information and breach of data protection on the server, you cover as threat anyone who can have access to the server (internal users, internal technical staff and external technical support). By addressing the unauthorized access to information and breach of data protection on the external supplier, you consider this specific user (the external supplier) is a threat that may require fur ther analysis.

Regarding controls application, for the server you could consider limiting user access to server and folders by implementing access control lists, while for the external supplier, besides access control lists you could consider service agreements and procedures for remote access (e.g., remote access would be deactivated by default and only activated when needed).

This article will provide you further explanation about risk identification:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding risk identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0
Guest
jacekwojdyla Dec 08, 2016
Thanks! I think I got the point. It seems that it is required to be pragmatic in the assessment...
Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Dec 08, 2016

Dec 08, 2016

Suggested Topics