The threat and risk assessment process is not a means to an end. It is a continual process that once started should be reviewed regularly to ensure that the protection mechanisms currently in place still meet the required objectives. The assessment should adequately address the security requirements of the organization in terms of integrity, availability and confidentiality. The threat and risk assessment should be an integral part of the overall life cycle of the infrastructure.
Organizations that do not perform a threat and risk analysis are leaving themselves open to situations that could disrupt, damage or destroy their ability to conduct business. Therefore the importance of performing a threat and risk analysis must be realized by both the staff supporting the infrastructure and those that rely upon it for their business.
| Human threats | Non-Human threats |
| · Hackers · Theft (electronically and physically) · Non-technical staff (financial/accounting) · Accidental · Inadequately trained IT staff · Backup operators · Technicians, Electricians |
· Floods · Lightning strikes · Plumbing · Viruses · Fire · Electrical · Air (dust) · Heat control |
An Overview of Threat and Risk Assessment
SANS Institute
InfoSec Reading Room
http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
SANS
http://www.sans.org/
The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – the Internet Storm Center.
SANS provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats – the ones being actively exploited. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your offices. They were developed through a consensus process involving hundreds of administrators, security managers, and information security professionals, and address both security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of IT security.
SANS training can be taken in a classroom setting from SANS-certified instructors, self-paced over the Internet, or in mentored settings in cities around the world. Each year, SANS programs educate more than 12,000 people in the US and internationally. To find the best teachers in each topic in the world, SANS runs a continuous competition for instructors. Last year more than 90 people tried out for the SANS faculty, but only five new people were selected.
SANS also offers a Work Study Program through which, in return for acting as an important extension of SANS’ conference staff, facilitators may attend classes at a greatly reduced rate. Facilitators are most definitely expected to pull their weight and the educational rewards for their doing so are substantial.
・ Information Security Training – More than 400 multi-day courses in 90 cities around the world
・ The GIAC Certification Program – Technical certification for people you trust to protect your systems
(sk)
人々の不安につけこむビジネスは、衰えることを知らない。