Create your variation on the following table by filling in types of enterprise facilities where they belong - assume that all items are minimal for the identified risk level and higher:
|High threat||Avoid this risk OR do deceptions only here||Use expert facilitated analysis or in-depth protection posture assessments - manage attentively - maturity defined or managed||Use systems analysis - manage continuously - involve top management - reassess continuously - maturity managed or optimizing|
|Medium threat||Avoid or accept the added risk and use minimal due diligence approaches OR lightweight initial and periodic reassessments (annually) - Consider deception - maturity initial or repeatable||Use protection posture assessments OR lightweight initial and periodic reassessments (6 months) - manage carefully - sound change control - accreditation process - manage configurations - maturity defined or higher||Use scenario-based analysis - manage tightly - systematic change management - maturity managed or higher|
|Low threat||Use lightweight initial and periodic reassessments (annually) OR minimal due diligence approaches - vulnerability testing - simple approaches - loose controls - minimum cost and effort - limited review process - maturity initial or repeatable||Use lightweight initial and periodic reassessments (9 months) OR if mandated, probabilistic risk analysis or covering approaches - managed configurations and changes - periodic oversight - maturity repeatable or defined||Treat the threat as at least medium and reassess|
|Low consequence||Medium consequence||High consequence|
Typical ratings would be:
|High threat||N/A||Most local infrastructures, Regional financial institutions, Institutions with specific high quality known threats.||WMD facilities, Nuclear power plants, Chemical plants with deadly chemicals in high volumes, Critical information security providers (e.g., large PKI institutions), Military and intelligence agencies, Weapons systems, Command and control systems, spacecraft and aerial intelligence systems, missile control systems facilities, etc.|
|Medium threat||N/A||Most large enterprises, most non-security government institutions and departments, large educational institutions, etc.||Drug manufacturers, large financial institutions, real-time critical infrastructures (i.e., power and water), mass transportation systems, large financial institutions, plants with mass casualty potential, logistics systems, non-military government security institutions, etc.|
|Low threat||Typical offices, small businesses, small retail outlets, medium sized non-computer-dependent businesses.||Large non-computer critical businesses, most small manufacturers, large office complexes, small and medium manufacturers, etc..||N/A|
|Low consequence||Medium consequence||High consequence|
Use probabilistic risk assessment or covering approaches: As risks increase, more demands are made on systems to assure the utility of content. For medium risk situations, many things are different. Sound change control and accreditation processes are necessary, configurations should be closely managed, and infrastructure supporting the application should fall under closer scrutiny and management. Probabilistic risk analysis may be used for natural threats, and covering approaches for low threat, medium consequences is also reasonable.
Do lightweight initial and periodic reassessments: Lightweight initial and periodic assessments provide a way to achieve many of the objectives of a protection posture assessment at far lower initial cost. The notion is that, for situations that are likely to change rapidly over time, the cost and delay involved in more in-depth processes is not as good a tradeoff as a series of smaller and faster assessments. This is particularly useful in situations where a protection program is being started up or over the period of a major change. These assessments typically only deal with as-is and future state and don't include gap analysis or transition planning. They are normally done every 3-6 months for the duration of the major changes or until the start-up program becomes mature enough for a more thorough process. If an independent audit process is used to verify factual accuracy of assessments, low risk should reassess annually, and medium risk every 6-9 months.
Use protection posture assessments or expert facilitated analysis: Protection posture assessments and expert facilitated analysis are more suitable as the threats increase. While periodic oversight is acceptable at low threat levels, management must keep tighter reins and review at a higher rate for higher consequence systems or systems under more severe threats.
Use scenario-based analysis or systems analysis: When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary. When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary.
Risk management is the core process underlying reasonable and prudent decisions about information protection. In order to make prudent decisions, a risk management process must be put in place. The question is, what process?