When assessing the risks that are present for an individual
information system, you must consider a variety of elements.
This includes the enterprise, which is the owning
or operating organization, and the environment, which is everything around
a system that could affect it.
Information resides within the environment, enterprise,
and the information system. The type of information and level of security
required to safeguard that information is one key to determining the security
posture for the information system.
There are many known threats to a system, which may
include hackers, viruses, and power outages.
Also, there are known vulnerabilities of the system.
These vulnerabilities may reside within the operating system or the external
network connections or just within the building where the information
system is housed. Vulnerabilities may include obvious passwords, unsecured
work areas, or untrained users.
The first step in the risk management model is to
identify these threats and vulnerabilities and their sources.
|