There are three basic methods that can be used to evaluate the security of an organization:
- Compliance Assessments
- Are the controls that are prescribed to prevent unauthorized disclosure, modification, and interruption in-place?
- Vulnerability Assessments
- Are the controls that are in-place working properly to prevent unauthorized disclosure, modification, and interruption?
- Risk Assessments
- What controls are required to appropriately prevent unauthorized disclosure, modification, and interruption?
What is a risk?
The best definition I have ever heard is "A risk is the potential for something bad to happen."
However, many organizations conduct a "risk assessment" simply by comparing the controls in-place to a list of prescribed controls and label every gap as a risk. The use of an analogy is helpful in explaining the disconnect with this.
Car Insurance Analogy
Is the lack of car insurance a risk? According to the definition above, clearly not. Getting your car wrecked is an example of a bad thing that can happen (an Event), and there is clearly some potential for this with every car owned in the world. However, not having car insurance simply increases the impact of the Event. There are many other Conditions that contribute to the impact of the Event, e.g. price of car, availability of repair parts, responsibility of damage, extent of damage, etc... There are also Conditions that contribute to the likelihood of the Event, e.g. number of miles driven, frequency of driving, road congestion, road conditions, etc...
Evaluating the potential of a car wreck must involve analysis of (at least some of) these Conditions.
Most US States prescribe minimum coverages for car insurance, here are the minimums for vehicle liability in Illinois:
- $20,000 - injury or death of one person in an accident
- $40,000 - injury or death of more than one person in an accident
- $15,000 - damage to property of another person
No comments:
Post a Comment