To understand what a true enterprise threat assessment entails, it is important to define the goals, scope, limitations, costs, and process. For example, an enterprise might have a supply warehouse, a manufacturing building, and executive offices, and each of these may be ranked based on their function and how they support the enterprise's mission. A water utility may have pumping stations, but its treatment plant is more important if it provides potable water to customers.
Costs
The Costs of Enterprise Threat Assessment are critical in determining whether or not a certain remediation is appropriate. A comprehensive risk assessment identifies vulnerabilities, prioritizes risk levels, and identifies controls that must be implemented to limit the risks associated with those vulnerabilities. The results of the assessment help companies prioritize spending on security and remediation efforts. For example, a thorough assessment of the HIPAA risk assessment may indicate that updating an outdated air conditioner system will save a company thousands of dollars in the long run.
A proper threat assessment is essential to avoid disasters and improve the efficiency of a company's operations. By fully understanding the nature of threats, an organization is better prepared to meet its goals and meet its targets. However, a comprehensive assessment involves ongoing monitoring of environmental factors and other parameters. It is imperative that these factors be monitored continuously and with the right tools. The Costs of Enterprise Threat Assessment will vary, but the benefits outweigh the costs.
Limitations
An enterprise threat assessment is a critical part of risk management for an organization. A threat analysis considers the full spectrum of threats. The ISC standard addresses threats of man-made origin, although individual agencies may expand on their own. When identifying potential threats, a threat assessment should consider the probability of occurrence and evaluate its credibility. For example, historical data can help determine if a given threat is credible. However, the process can also be subjective.
Because of the risks associated with these threats, it is essential to give these assets high values and implement strong protective controls. For example, databases containing Top Secret clearance information could be compromised by a foreign government. Stolen data could reduce the usefulness of an agent and endanger his or her life. Similarly, network services should be assigned high value. However, this is not enough. In order to protect network services from a threat, organizations should assign them high values and implement strong protective controls.
Scope
The scope of an enterprise threat assessment is important for security planning. The process begins by identifying your organization's assets, including the crown jewels. An attacker is most likely to target these assets, which might include an Active Directory server, picture archive, and communications systems. It is imperative that you assess each asset and assess its security risk. Once this information is collected, the next step is to categorize and prioritize these threats.
The scope of your assessment should be defined and cover all of your assets. While you should be able to identify any asset that is important to your organization, it's important to determine the other assets, devices, and information that it touches. The scope of your assessment should be able to determine the risks and vulnerabilities of these assets, as well as how the risk or vulnerability could impact each of these. Once you've determined the scope of your assessment, you can start planning.
Process
The process for enterprise risk management begins with establishing governing business objectives and common language for the assessment of risks. Then, the process determines how to classify potential threats based on their impact and likelihood of occurrence. Then, it considers a variety of future events, or scenarios, and displays them on a map or grid. Depending on the severity of the scenario, the report may suggest mitigation measures. The risk assessment report should also include the severity of threats and how costly they are.
To begin the process, the enterprise must determine which assets and systems are at risk. These assets may include its crown jewels, which are likely to be the target of an attacker. These could include the Active Directory server, the picture archive, and the communications systems. Identifying the crown jewels of the organization helps determine how to approach the threat assessment. This step must be carried out before implementing the measures that will mitigate the risks.
