Risk assessment on IT containers and the information they contain

Ragnarok

Involved In Discussions
#1
Hello

We are doing risk assessment for our information Assets but we have a problem:
if we consider email records to be an information asset and if we consider also the mail server to be information asset, when we do the risk assessment on the MAIL SERVER, should we consider the risks on the informations it contains ( in this example the mail records) or do we consider the server just as a Hardware item, irrelevant of the information inside?

If we consider the mail server as both HW+info it contains, then wouldn't we be doing the work twice when we do risk assessment on the mail records?

Please help its very confusing
 
Elsmar Forum Sponsor

Tagin

Trusted Information Resource
#2
Perhaps you could consider the email service as the item being risk-assessed. Roughly, that service consists of:
  • Hardware platform
    • Physical security
    • Hardware integrity
      • Security flaws in motherboard chips
      • Compromised boards (malicious firmware implanted, etc.)
      • etc.
    • Battery backup
    • etc.
  • Network environment
    • Firewall
      • Rules etc.
    • Routers
      • Rules, etc.
    • Wiring integrity
  • Operating system
    • Known vulns
    • Update sources & schedules
    • etc.
  • Email Application Software
    • Known vulns
    • Update sources & schedules
    • etc.
  • Email content
    • Personal information?
    • Credit Card info?
    • Government-restricted info?
    • NDA-restricted info?
    • Malicious content (phishing emails, viruses, etc.)
    • Illegal content
    • etc.
  • Other applications
    • Monitoring software apps
    • Antivirus apps
    • etc.
For some common elements among services (physical security, etc.) you might do the assessment once and then refer to that for each service that uses it.
 

Ragnarok

Involved In Discussions
#3
Thanks for the reply Tagin...

Yes that could be an alternative but we were going for an asset based risk assessment, as per the following formula: Risk being based on Asset value, Threat value and Vulnerability value...

Your approach is service based, not asset based I take it? How would you then calculate the information security risk?
 

Tagin

Trusted Information Resource
#4
Thanks for the reply Tagin...

Yes that could be an alternative but we were going for an asset based risk assessment, as per the following formula: Risk being based on Asset value, Threat value and Vulnerability value...

Your approach is service based, not asset based I take it? How would you then calculate the information security risk?
Ah, I see what you mean now. If you are required to split them into different assets (server vs. information) then you would have to look at the server (hw + sw) without regard to what information it contains. Then, assess the email content separately.

If I understand it correctly, that seems like a bad way to do risk assessment. It is like trying to do risk assessment of a system by doing a risk assessment of each of its components separately - but that will not work. To me, either you need to change the definition of 'asset' to refer to the whole system (hw + sw + content), or not use 'asset value' to partition the system in the risk assessment. Otherwise, I think the risk assessment will be meaningless.
 
Thread starter Similar threads Forum Replies Date
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
M Informational Final guidance – GUIDELINES on the benefit-risk assessment of the presence of phthalates in certain medical devices covering phthalates which are carc Medical Device and FDA Regulations and Standards News 0
D Risk Assessment Procedure in accordance with ISO 17025:2017 ISO 17025 related Discussions 5
M Informational EU – 12th Meeting of the Working Group on Guidelines on benefit – risk assessment of Phthalates in Medical Devices Medical Device and FDA Regulations and Standards News 0
D Doing both a top-down and a bottom-up risk assessment - How to combine ISO 14971 - Medical Device Risk Management 6
V Sequence of performing risk assessment: User_FMEA (User Errors) vs Design Inputs FMEA and Control Plans 1
chris1price Cleanroom Monitoring Plan - ISO14644-2:2015 - Risk Assessment Other Medical Device Related Standards 3
T IEC 60601-1 - Risk assessment to determine the liquid - 11.6.3 IEC 60601 - Medical Electrical Equipment Safety Standards Series 6
P Looking for Risk Assessment Template - Not necessarily Asset based IEC 27001 - Information Security Management Systems (ISMS) 1
S Can anybody share a sample risk assessment prepared based on ISO 17025:2017? ISO 17025 related Discussions 15
M Informational EU – SCHEER – Minutes of the Working Group meeting on guidelines on the benefit-risk assessment of the presence of phthalates in certain medical devic Medical Device and FDA Regulations and Standards News 1
Q Risk & opportunity assessment - ISO 14001 ISO 14001:2015 Specific Discussions 1
D CAPA vs. Risk Assessment - Changing a product material for better performance ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
J Simple supplier evaluation qualification process form that includes Risk Assessment Document Control Systems, Procedures, Forms and Templates 2
K Risk Assessment Registry - ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
M Risk Identification and Risk Assessment for any Process - Is it necessary? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
D Qualitative vs. Quantitative Risk Assessment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
B Process Risk Assessment Example for a Manufacturing Company Quality Tools, Improvement and Analysis 2
A Risk Assessment Technique that fits the Context of the Organization ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Q Risk Impact - Risk Assessment Sample/Method per ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
somashekar How to put in place a Risk Assessment of Vulnerabilities & Corruption... Sustainability, Green Initiatives and Ecology 2
A Preventive Action and Risk Assessment Audit Process Audits and Layered Process Audits 5
A Risk Assessment- What to do? ISO 14971 - Medical Device Risk Management 3
somashekar FDA proposal on Medical Device Accessory Risk Assessment Other US Medical Device Regulations 15
V Risk Assessment Precedence - FMEA > Risk Matrix (Modified PHA) > Ishikawa? FMEA and Control Plans 11
M Risk Assessment & Contingency Planning (API Q1, 9th. Ed.) Oil and Gas Industry Standards and Regulations 9
P Example Risk Assessment for CAPA's Document Control Systems, Procedures, Forms and Templates 5
S Product Risk Assessment and Management Procedure per API Q1 9th Edition Oil and Gas Industry Standards and Regulations 8
J Timeframes for Risk-Based Biocompatibiilty Assessment Other Medical Device Related Standards 3
SteveK RoHS Conformity Risk Assessment - Medical Devices RoHS, REACH, ELV, IMDS and Restricted Substances 2
J API Q1-9 Critical Supppliers 5.6.1.2 and Risk Assessment Oil and Gas Industry Standards and Regulations 6
A Risk Assessment Considerations for various Activities Occupational Health & Safety Management Standards 10
S Can anyone share template for Device Risk Assessment ? ISO 14971 - Medical Device Risk Management 2
S Definition Technical Risk Assessment - Definition Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
Wes Bucey The Ethics of Risk Assessment Philosophy, Gurus, Innovation and Evolution 13
AnaMariaVR2 Structured Approach to Benefit-Risk Assessment in Drug Regulatory Decision-Making Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
M How to document Risk Assessment on Repeat Business AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
P What are FMEA Risk assessment techniques? FMEA and Control Plans 4
V Which Risk Assessment tool is adequate? FMEA and Control Plans 2
V How to Measure Effectiveness of Risk Assessment Processes FMEA and Control Plans 7
Wes Bucey Supply Chain Risk Assessment - Asia Floods Business Continuity & Resiliency Planning (BCRP) 1
V Examples of Risk Assessment (FMEA) through the Life Cycle of the Product Development ISO 14971 - Medical Device Risk Management 16
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
V PIC/S Committee has adopted an Aide-Memoire on Assessment of Quality Risk Management ISO 14971 - Medical Device Risk Management 2
S Hazard Identification and Risk Assessment - Can Risk Assessment be "Grandfathered"? Occupational Health & Safety Management Standards 4
G Pharmaceutical Risk Assessment - Use of Medical Staff Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 4
E Meeting ISO 10993-1 2009 Material Risk Assessment Requirements Other Medical Device Related Standards 13
K Risk Assessment / FMEA - Using the same Risk Opportunities - Opinion Question AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 9

Similar threads

Top Bottom