List and explain at least three questions to ask organizational personnel to determine risk sensitivity, exposure, and thresholds. Why are they good questions, and how will these answers help risk management?
While it is better to already have an organization’s risk sensitivity, exposure, and thresholds figured out before an incident occurs, in my experience, it takes encountering a real-world danger to get a firm grasp on an organization’s risk chance and the steps to reduce it. In my current position in IT, I generally ask/answer the same questions for every security incident, regardless if the event is on the digital or physical front. By compiling a set of standardized queries, one can form a general attack plan in the chance of a breach or threat; this can help manage resources quickly, as every second counts immediately following an exposed or penetrated asset. Below are some of the questions I use in my ‘Incident Form.’ Interestingly enough, several of these questions can be reused in determining a company’s risk sensitivity, exposure, and thresholds.
- Date of Incident?
- Date of Initial Detection?
- Intruder’s Target?
- Intruder’s Origination?
- What Happened?
- How did it happen?
- Initial Discovery?
- Event Timeline?
- Threat Level?
- Suggested Steps?
- Completed Actions?
- Pending Actions?
By answering each of these questions, I can then create my ‘Full Incident Report Form,’ which typically is around 10-15 pages of detailed data regarding every possible source or contributing factor in the security breach. Included in my full report is the complete ticket timeline of the event, starting at the identification of the breach/vulnerability to the full resolution of the problem. By adding each ticket with the author, steps involved, date and time, as well as the priority level, I can formulate a comprehensive and detailed incident report. Proper documentation leads to proper error resolution, now and into the future; this is due to being able to follow the same procedure used for past security events for future issues.
While each situation is different, the basic framework one should follow in a physical security incident compared to an initial security audit should be somewhat similar. One needs to find out what can happen, why it will happen, what the potential risks are, what the proposed solution is, and what everything is going to cost in terms of resources and personnel; by establishing these answers, one can efficiently update upper management on the status of the organization’s risk sensitivity, exposure, and thresholds.
EY. (2014). Cyber threat intelligence − how to get ahead of cybercrime. Retrieved September 22, 2020, from https://www.ey.com/Publication/vwLUAssets/EY-cyber-threat-intelligence-how-to-get-ahead-of-cybercrime/$FILE/EY-cyber-threat-intelligence-how-to-get-ahead-of-cybercrime.pdf.
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress.