Business and Threat Assessments

To support a cyber security strategy it is necessary to conduct a business assessment and evaluation of the organisation’s current state. The breadth and depth of this assessment will again be in proportion to the proposed scope and vision of the strategy. The criteria for an assessment should again reflect the scope but in general the assessment should aim to cover:

  • Geography and locations
  • Business services and operations
  • Organisational structure
  • Legal or regulatory requirements per geography
  • Current business strategies per geography
  • Current risk and threats
  • Current security capabilities
  • Current architecture
  • Current service management and supplier management

The list above is not exhaustive and there may be other specific areas that are beneficial to the strategy but the list above should cover enough to gain a good understanding of the current or AsIs position. The assessment is basically the beginning of the necessary gap analysis required to qualify the strategy, transformation and determine its success. There are a number of different ways to conduct a business assessment and enable the gaps to be identified. These include diagrammatic means such as building block diagrams and use case models or through spreadsheet matrices.

Once the business assessment has been completed and sufficient information has been gathered to form a good understanding of the organisation and its scope of operations, an assessment of the likely threat to these finding can begin. Your security operations should have a security incident classification within the organisation incident management domain which can be used to define threats. This classification or taxonomy of threat types should be used to help produce an initial threat assessment based upon a breakdown of what a threat means and how it manifests. There are a number of useful threat classification model available including those from:

The type of information that is also required if it can be obtained is the following:

  • Security incident reports
  • Assets targeted
  • Geography
  • Impact on business/services
  • Root cause conclusions
  • Repeated incident types
  • Organisation vulnerabilities

A Threat Assessment is built up with the following activities and output:

  1. Define threat types facing organisation and order by severity
  2. Define threat profile for each threat type – including threat actor, motive, FOI or target asset
  3. Define threat scenarios to challenge the organisation and its vulnerabilities

Once you have completed the business and threat assessment and the have an understanding of the current state and operations within the organisation, its vulnerabilities and threats you can conduct a risk assessment. Your risk assessment should follow your organisation risk method or select FAIR or OCTAVE as a means to determine the risk “appetite” or tolerance towards the threat. This tolerance and assessment will influence further assessment types, gap analysis and areas for transformation.

Cyber Security Strategy Business Threat Assessment
Cyber Security Strategy Business & Threat Assessment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s