Section 5.3. Identify Areas of Concern

5.3 Identify Areas of Concern

As people work with information-related assets when performing their jobs, they develop an understanding of the operational procedures related to accessing and using information. They learn about the way operations really work in their organization. They know where written procedures must be followed to the letter, and they know where they have to "make things work" by deviating from formally written protocols. The knowledge about what is really happening in the organization is vital when creating threat scenarios.

In this activity participants express concerns about how their most important assets are threatened. They create the scenarios using prompts based on known sources and outcomes of threat, resulting in highly contextual threat information from the people who use and depend upon the organization's assets. This information forms the basis for constructing threat profiles during process 4.

Step 1: Describe Areas of Concern

A threat is an indication of a potential undesirable event [NSTISSC 98]. It refers to a situation in which a person could do something undesirable (an attacker initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). An area of concern is a situation in which someone is concerned about a threat to his or her important assets. Typically, areas of concern have a source and an outcome, that is, a causal action that has an effect on the organization. Figure 5-4 shows typical sources and outcomes for areas of concern.

Figure 5-4. Sources and Outcomes for Areas of Concern

graphics/05fig04.gif

The threat sources and outcomes in Figure 5-4 are based on known sources of threat from the generic threat profile. For a more in-depth discussion of the generic threat profile, see Chapter 6. Table 5-4 provides a definition for each category of threat source, while Table 5-5 provides a definition for each outcome.

To conduct step 1, ask the participants the following question: What scenarios threaten your important assets? To help them think about threat scenarios, have the participants focus on how the sources and outcomes contained in Figure 5-4 related to their important assets.

Note that the participants might consider one asset at a time, or they might consider and discuss all important assets simultaneously when they identify areas of concern. Identifying areas of concern is a brainstorming activity, in which participants will likely focus on multiple assets and sources simultaneously.

Table 5-4. Threat Sources

Category of Threat Source Definition

Deliberate actions by people This group includes people inside and outside your organization who might take deliberate action against your assets.

Accidental actions by people This group includes people inside and outside your organization who might accidentally harm your assets.

System problems These are problems with your information technology systems. Examples include hardware defects, software defects, unavailability of related systems, viruses, malicious code, and other system-related problems.

Other problems These problems are beyond your control. Threats in this category include natural disasters (e.g., floods and earthquakes) that can affect your organization's information technology systems, unavailability of systems maintained by other organizations, and interdependency issues. Interdependency issues refer to problems with infrastructure services, such as power outages, broken water pipes, and telecommunication outages.

Table 5-5. Threat Outcomes

Threat Outcome Definition

Disclosure The viewing of confidential or proprietary information by someone who should not see the information

Modification An unauthorized changing of an asset

Loss/destruction The limiting of an asset's availability, either temporarily or because it is unrecoverable

Interruption The limiting of an asset's availability, mainly in terms of services

At MedSite, the senior managers identified areas of concern for their important assets. Figure 5-5 shows a few of the areas of concern for PIDS.

Figure 5-5. Senior Management Areas of Concern for PIDS

graphics/05fig05.gif

Note that the areas of concern in Figure 5-5 are written as complete sentences. One of the biggest mistakes, made by many inexperienced analysis teams, is to record partial phrases that do not completely capture the meaning of the concern. When the teams review areas of concern later in the process, they cannot always remember the exact concern if only a few words were recorded. Appendix A summarizes the areas of concern identified during processes 1 to 3.

Step 2: Describe the Impact on the Organization

The second step of this activity centers on collecting information about the potential impact on the organization. This information will be useful when you start to construct risks in process 7. It will help link the outcomes of threats to business goals and objectives. (See Chapter 9 for more information about process 7.)

For each scenario elicited, ask the following questions:

What could happen if this scenario were to occur?
What would be the impact on your organization?

Note that there can be more than one impact for each area of concern. Figure 5-6 illustrates the potential impact on the organization for two of the senior managers' areas of concern for PIDS.

Figure 5-6. Impact on the Organization for Areas of Concern

graphics/05fig06.gif

This concludes the second activity of processes 1 to 3. In the next activity you will identify security requirements for the participants' most important assets.