I have read an interesting article about creating a risk assessment plan in relation to data security. It covers a 5-step plan in order to develop a solid foundation for security strategy. It requires a team assembled to get started with the process.
- 1. Identify information assets
Consider important information and create a priority list of what needs to be protected.
Examples; social security numbers, designs, human resources data etc.
- 2. Locate information assets
Identify and list where each item on the information resides within the organization.
Examples; file servers, workstations, phones, databases etc.
- 3. Classify information assets
Assign a rating to the information asset list and consider using a 1 to 5 scale with the following categories:
Public information, internal information, sensitive internal information, compartmentalized internal information, regulated information
NB. Read more about the examples within each classification scheme on the article
- 4. Conduct a threat-modeling exercise
Rate the threats facing the top rated information assets, option of usage would be the Microsoft’s STRIDE method:
(Spoofing of Identity, Tampering with Data, Repudiation of Transactions, Information Disclosure, Denial of Service, Elevation of Privilege)
- 5. Finalize data and start planning
Multiply all the cells in each of the worksheet by the classification rating assigned to the asset in step 3. This in relation of the worksheet that needs to be created.
Read the article in order to understand the aspects of this approach. It also includes an STRIDE method chart.
The fact that this method approach is considerable and useful while considering data security would definitely be something I would experiment with and use it in greater advance.
Article available on the following link, LOOK INTO IT!