And now, on with the show. We have described the organization for which we are performing the assessment. We have also described, to a certain extent, the architecture of the system involved.
Again, we are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:
Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.
With this definition in mind, why don't we make a list of the assets we might be concerned about.
- Hardware (Servers, routers, switches, firewalls, etc.)
- Services (Web services and database services)
- Information (Tax code and tax rates)
The bandwidth is an asset because evil doers on the internet need a way to spread their evil. They would much prefer to use our bandwidth than pay for their own.
The hardware is an asset because someone might want to steal it or run their own software on it.
The services provided are an asset for similar reasons. The evil doers need places to put the stuff they want to spread or a place to stash the stuff they have already taken elsewhere.
The information is an asset because...well...it's why the rest of the stuff is there in the first place Seriously, information is always an asset. As discussed in the first post on assets, it likely doesn't matter if the information is classified as public or not. The integrity and availability of that public information can be very important.
For instance, in our case, the information defines how much money a company will have to pay in taxes. If it is modified or deleted, it can have a serious effect on the revenue of the state.
Ideally, we would perform a risk analysis for each asset "class" above and incorporate all the results into our risk assessment. For our purposes though, we are going to concentrate on just one, the information.
In the next post in this series we will take a look at threats and threat agents.
As always, please let me know your thoughts in the comments.