Having identified the asset, risk will be determined by the vulnerabilities and threats acting on it, so these must be identified and assessed. The data asset register should contain information about the location of the data, its owner and value to the organisation. Ownership of the data is important, as the data owner is responsible for deciding whether to accept the risks identified through the risk assessment.

Vulnerabilities

Vulnerabilities are weaknesses in the controls protecting the asset, so they’re usually easier to find than threats which can be much harder to predict. There are many vulnerability assessment tools, like Nessus and OpenVAS, which automatically scan networks to find vulnerabilities. Remember that while automated scans are fast and convenient, they are nevertheless simply tools and results should not be taken at face value. They’ll often highlight a vulnerability but can’t ‘understand’ what other controls may be in place to mitigate it.

Introducing CiSP

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative, set up to allow UK organisations to share cyber threat information in a secure and confidential environment.

The benefits of CiSP

The benefits of CiSP include:

Connect: Connect with other people in your sector or region, make new contacts and grow your network.
Inform: Inform yourself by learning from the information available on the platform.
Share: Share your own knowledge with other members on the platform, and also share new knowledge from CISP in your own organisations (where handling instructions allow).
Protect: Protect your network against cyber threats, helping to make the UK the safest place to live and work online.

Gauging the risk

The risk will generally relate to the value of the data, but this isn’t always easy to calculate. Value is typically assessed in terms of the data’s sensitivity and criticality. In other words, what would happen if it became public (sensitivity), or it was unavailable for any reason (criticality). In this case, value must include a consideration of an organisation’s contractual and legal obligations, its relationship with suppliers and customers, the potential for reputational damage, projected value of intellectual property, and many other considerations.

Configuration management databases (CMDBs)

A CMDB is an archive that acts as a data warehouse, storing information about your IT environment and the components that are used to deliver IT services. The data stored in a CMDB include lists of assets (known as configuration items) and the relationships among them.

The heart of modern IT operations

CMDBs and the configuration management processes that surround them are the heart of modern IT operations. They allow the company to manage data about a diverse set of IT components in a centralised location (even if the actual devices are widely distributed). The CMDB helps the organisation perform service management processes such as incident management, change management and problem management, and is also an essential resource for decision-makers who need information to improve the cost, quality and performance of the organisation's IT Services.

In addition to an organisation's own interests in keeping a well-ordered, up to date CMDB, GDPR has also increased fines for failures to protect personal data, so organisations are taking data asset control much more seriously than before. It's a cornerstone of information security and needs constant attention.

To wrap up

In the previous articles, you have seen that the risk management life cycle is an iterative process involving four phases: Identify, Analyse, Treat, and Monitor. Following these steps allows us to focus our cyber defences to the best effect within the constantly evolving threat environment

Key points

Let’s take a look at the key points from this lecture:

A data asset register should contain information about the location of the data, its owner and value to the organisation.
Value is typically assessed in terms of the data’s sensitivity and criticality.
CMDBs allow the company to manage data about a diverse set of IT components in a centralised location (even if the actual devices are widely distributed).

Risk identification