Documentation - Threat analysis
During the threat analysis, the threats that are relevant to the organization are identified. This involves determining the probability that a threat will lead to an incident and the impact of such an incident. It must then be determined how to deal with the identified risk. RAFIS has a list of general threats (templates). The use of this list is of course not mandatory. The list is intended as a source of inspiration. If an ISO 27001 certification is the goal, going through this entire template list is worth considering.
A handout can be made at the end of setting up the scope. This explanation assumes that the participants have this handout.
The first thing you determine when dealing with a threat is the possible actor. Find out which actor benefits from gaining access to information or harming the organization. Not every threat has an actor. Sometimes an incident occurs because you are just unlucky. For example, hardware sometimes breaks. If several actors are possible, then assume the most threatening actor.
When determining the probability, start from the threat posed by the chosen actor and the (possible) presence of vulnerabilities in the systems concerned. The translation of the threat from the actor to the chance factor can be determined as indicated on the handout. However, this is the probability associated with the gross risk. What we are looking for is the opportunity that takes into account the measures already taken. This is the net risk. The goal is that ultimately the residual risk can be accepted for every threat because adequate measures have been taken.
When reducing the probability as a result of measures taken, RAFIS proposes the following rule. If you have taken enough measures, go down a maximum of two levels in the chance. If measures have been taken, but there is room for improvement, go down one level at most. The reason for this is that it is not realistic to think that an advanced actor targeting you can be kept out. If you want to further reduce the risk, you must therefore take impact-reducing measures. It often turns out that once an actor is inside, he has free rein. Too many organizations take too few impact-reducing measures. With this rule, RAFIS tries to do something about it. You are of course free to deviate from this rule.
If the threat does not require an actor or if the actor is not a malicious actor, see how often an incident could occur as a result of the threat.
The impact is determined by all possible consequences of an incident. Think of the possible consequences for the availability, integrity and confidentiality of the affected information, image damage, financial damage or administrative / political consequences.
Include low-risk threats in the overview, even if you accept the risk. These may be useful when drawing up a scenario in a next step.
It is good to realize that a risk is usually not a dot on the risk matrix, but a line. A risk can manifest itself with a small impact or with a large impact. Low-impact risks tend to be more likely than high-impact risks. Take, for example, receiving phishing mail. A mail server receives many phishing emails every day, but most of them are blocked by filters. Sometimes some relatively harmless phishing mail gets through, but users see through it or the underlying web form has already been removed by the hosting party. Very occasionally it hits the spot and users fill in really confidential information. These situations can be plotted in a line on the risk matrix. It is possible to lower the entire line with measures, but you may want to focus first on the middle part of the line and then on the right part of the line.
In the approach, 'control' means lowering the probability as well as the impact, 'avoid' means lowering the probability, 'resist' means lowering the impact and 'accept' means not taking further action to mitigate the risk. to lower. Choosing 'accept' only makes sense if you choose to work through the entire list of threat templates.
Three entry fields are available per threat; 'Desired situation / actions to be taken', 'Current situation / current measures' and 'Argumentation for the choice made'. These fields can be used for a baseline measurement, the later action plan and argumentation about the chosen chance, impact and approach, respectively. The argumentation is important information for any certification. The content of these fields is therefore more important than the chance, impact and approach fields. In fact, the latter indicate no more than a prioritization or urgency.