Ask The Security Channel Expert: Questions & Answers
Threat matrix and risk analysis resources
>
QUESTION:
I need to come up with a matrix of threats and countermeasures so I can start doing a risk analysis of what we can be exposed to in my customer's infrastructure environment. Do you have any ideas or tips on how I can get that info?
To continue reading for free, register below or login
Requires Membership to View
To read more you must become a member of SearchSecurityChannel.com
There are many sources available to help you compile a threat matrix. Many books are written on the subject, as well as numerous web resources, to help you create a risk analysis (RA) matrix. WBDG has a good one, and the NIST publication 800-30 (.pdf) has been around for awhile, but it's still useful.
But before you start to focus on the countermeasures part, you'll need to understand the difference between a threat and a vulnerability to create a framework that makes this differentiation. Once you've compiled those, identify the company assets that would be affected, and rate the severity if a realized threat impacts the asset. Dr. Krutz' and my latest text, The CISSP and CAP Prep Guide: Platinum Edition, explains a high level approach to RA, defines various rate-of-occurrence formulae and provides a template matrix for threat/vulnerability/asset rating.
Search and Browse the Expert Answer Center Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.