Today’s organizations are constantly bombarded with cybersecurity threats. IT managers frequently lose sleep over botnets, malware, worms and hacking. Rather than reach for a sleep aid, organizations need a clear methodology for prioritizing and addressing cybersecurity risks. Here are five clear steps to develop a solid foundation for a security strategy.
1. Identify Information Assets
Consider primary types of information that the organization handles (e.g., social security numbers, payment card numbers, patient records, designs) and make a priority list of what needs to be protected.
2. Locate Information Assets
Identify and list where each item on the information asset list resides (e.g., file servers, workstations, laptops, removable media, PDAs and phones, databases).
3. Classify Information Assets
Assign a rating to your information asset list. Consider a 1-5 priority scale, with the following categories: (1) public information, (2) internal, but not secret, information, (3) sensitive internal information, (4) compartmentalized internal information, and (5) regulated information. This type of classification allows the organization to rank information assets based on the amount of harm that would be caused if the information was disclosed or altered.
4. Conduct a Threat Modeling Exercise
Rate the threats that the top-rated information assets face. One option is to use Microsoft’s S.T.R.I.D.E. method, which is simple, clear and covers most of the top threats. Develop a spreadsheet for each asset, listing the following S.T.R.I.D.E. categories:
Spoofing of identity
Tampering with data
Repudiation of transactions
Denial of service
Elevation of privilege
In the spreadsheet, list the data locations identified in Step 2. For each cell, make estimates of both the probability of this threat actually being carried out against the asset at the location in question and the impact that a successful exploitation of a weakness would have on the organization. Use a 1-10 scale in which 1 is “not very likely” and “minimal impact” and 10 is “quite probable” or “catastrophic.” Then multiply those two numbers together and put the total for each location into cells. The spreadsheet should be populated with numbers from 1 to 100.
5. Finalize Data and Start Planning
Multiply the total in each cell in all the worksheets by the classification ranking assigned to the asset in Step 3. The final total will give you a rational and comprehensive ranking of all the cyber threats posed to the organization’s information. A reasonable security plan will start by tackling the risks with the highest totals and then assign a lower priority to mitigating those with lower totals. In an ideal world, you will find a way to lessen all your risks-but be sure to take care of the big threats first.