Okay. So in just talking about some of the basics with risks and looking at their implications, the next section we're gonna move into is discussion of mitigating risk. And we've already talked about this a little bit. A swell.
So, uh, when we talk about mitigating risk and when we talk about risk in general, as I mentioned before, the first step is gonna be understand the value of your assets,
figure out what your assets are and what their work. Well, one of the ways that we indicate the worth of assets is by classifying data,
and the classification of data should indicate the data is value. So there's certainly information that's public. There's information for internal use only sensitive or confidential. And these air classifications you might see in the commercial industry a lot of times when people hear classifications, they immediately think government or military.
But that's not the case. Certainly we classify information for use within the commercial industry.
A cZ well, as in the government industry, before I move on, I'll mention that sensitive being the highest level off of classification to the lowest for public so sensitive in the commercial industry would be sort of equivalent to top secret in the government and military.
So it does kind of map. This would be unclassified information.
It does kind of map loosely to government military. But the whole purpose of classification really is to determine what type of control we should put in place. The higher declassification of data, the more stringent control.
Now, some other ways that we can address the value of data and its protection needs, especially in the realm of confidentiality, integrity and availability, is we can use a threat matrix now. These are going to be unique from organization organization on and how they work.
Essentially, it is. It's just a chart. If you've ever worked with the probability and Impacts matrix or
anything along those lines, the idea is we use awaiting system. And we might say that, um, for confidentiality. The attributes for the information itself is at this level. What sort of threats are there to the confidentiality?
Ah, which the waiting of integrity, availability
and all these elements. And basically there's There's nothing to memorize here. There's nothing in testable other than the idea that the threat matrix is a good way to help visualize the value of data and how important it's confidentiality, integrity and availability is so another really testable there. But it's certainly a helpful tool
now, a common vulnerability scoring system and that CVS s common vulnerability scoring system. And that's really essentially what we saw in the slide before, kind of giving away just thio score CIA related threats. Same idea here.
Ah, with the C v s s. So that's kind of a more standardized methodology for
for assessing the threats associated with certain technologies. And it categorizes threats into three main categories the base metric group, the Temporal Metric group and the environmental metric group
for bass threats. These air the types of threats that are inherent to the mechanism. No matter where you implement it, this vulnerability is gonna exist. You know, I've got a database, and, um, the database relies on password protection to access the data.
That's certainly a vulnerability, and that's just inherent to the database. It's inherent the fact that
that's the strongest protection it provides
now. There also might be temporal threats finite in time, for instance, like there might be a threat exposure for a limited time period while the system's connected to the Internet. And maybe it connects out to the Internet twice a day to upload information to a database server out on the Net.
That's a very temporary
or very fixed length of time that it has a threat.
And then also, some threats are about the environment toe, which they're deployed, you know, whereas I may have a system that works very fine, very well in a secure environment if I put it in a standard desktop environment of, ah, you know of an ordinary organization
based on the environment or maybe based on other applications in the environment,
uh, the types of users that are in the environment, the type of access. So essentially what you've got is you've got inherent threats. You've got temporary threats, and then you've got threats driven by the environment. And whenever you're considering implementing some sort of element on your network, you have to think across those three categories of threats.
again, we always go back to the CIA, and I know there's some redundancy in these slides with this, But just as an idea, any time you see the same concept again and again and again that can really tell you from a testable standpoint and then from a conceptual standpoint, we always go back to the C I A.
And for every element, we think about
the necessity for confidentiality. What are the things that will threaten the confidentiality and mortar, some mitigating strategies? Um, integrity and availability, the same idea there.