Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in Table 3-6.

TABLE 3-6 Risk management threat possibilities

ConfidentialityIntegrityAvailability
Theft of data by an internal employeeAccidental alteration of data by an internal userAccidental damage or destruction of data by an internal user
Theft of data by an external intruderIntentional alteration of data by an internal employeeIntentional damage or destruction of data by an internal user
Inadvertent disclosure of dataIntentional alteration of data by an external intruderIntentional damage or destruction of data by an external intruder
Damage or destruction of data by a natural disaster

The core of the risk management process is to anticipate potential threats in detail and use the information gathered earlier in the data, hardware, and user inventories to estimate the severity and likelihood of each threat. For example, the threat of the company’s client sales figures being disclosed when a traveling user misplaces their smartphone is far more likely than a competitor breaking into the company headquarters at night and hacking into a workstation to steal the same information. The severity of the threat in the two scenarios is the same, but the loss of a smartphone is the more likely occurrence, so administrators should expend a greater effort at mitigating that possibility.

In another example, a competitor’s burglary attempt might result in the theft of those same client sales figures; in another scenario, this same burglary attempt might cause deliberate damage to the company’s web servers, taking the company’s e-commerce site down for several days. The likelihood of these scenarios is roughly the same, but the web server damage is the far more severe threat because it interrupts the company’s income stream. Therefore, the more severe threat warrants a greater prevention attempt.

Microsoft 365 provides tools administrators can use to predict, detect, and respond to security threats. However, a comprehensive risk management plan goes beyond these types of tools and incorporates purchasing, hiring, building, and administration policies.

Updating the plan

Risk management is not a one-time event; it must be a continual process to be effective. Security threats continue to evolve rapidly, so the protection against them must also evolve. At least once a year, the risk management team should repeat the entire assessment process, updating the inventories of all the organization’s information, hardware, and human assets to ensure that no changes have occurred without the company’s knowledge. The team must update the threat severity and likelihood matrix as well. New or updated threats will require new security tools, procedures, and policies to protect against them.

In addition to the internal updates of the risk management plan, an organization might want to engage outside contractors to perform a vulnerability assessment, which evaluates the threats in an organization’s security infrastructure. Depending on the size of the organization and the current nature of its possible threats, a vulnerability assessment can be a minor and relatively inexpensive procedure or an elaborate and costly undertaking.

Some of the specific types of vulnerability assessments are as follows:

  • Network scan Identifies avenues of possible threats through an internal network and Internet connections, including router, firewall, and virtual private network (VPN) configurations
  • Wireless network scan Evaluates the organization’s Wi-Fi networks for vulnerabilities, including improper configuration, antenna placement, and rogue access points
  • Host scan Identifies vulnerabilities in servers, workstations, and other network hosts, including port and service scans, configuration settings, and update histories
  • Application scan Examines web servers and other Internet-accessible servers for software vulnerabilities and configuration issues
  • Database scan Identifies database-specific threats in database servers and the databases themselves

Another possible method of assessing security vulnerabilities in an organization’s risk management system is performing a penetration test. A penetration test is a procedure in which an outside contractor is engaged to attempt an attack on the company’s systems to ascertain whether the potential vulnerabilities identified in the risk management process are actual vulnerabilities and to assess the organization’s response procedures.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.