Information Security Risk Associated With The Spccomputing Environment
2003 Words9 Pages
This is an assessment of the information security risk associated with the SPCComputing environment. This assessment outlines identified risks, the severity of those risks on a qualitative scale, and recommended controls to reduce the risk.
In today’s threat landscape companies are under increasingly sophisticated attacks by nation states and organized crime. The manufacturing, energy, retail, financial and communications sectors are at high risk to these sophisticated attacks. As a service provider to these industries SPCComputing and SPCComputing may be targeted as a potential vector into these high valued targets.
As a trusted service provider SPCComputing strives to continually improve our information…show more content… In the end, this risk should be documented and accepted or reduced.
Information security risk can be defined as “The combination of the probability of an event and its consequence with regard to confidentiality, integrity, and availability of information”. This is commonly referenced as Risk = Likelihood X Impact
The probability, or likelihood, of an information security event can be further defined as “The ability of a threat to exploit a vulnerability or weakness”. In a cybersecurity event we consider the capabilities and motivation of an attacker against the level of effort to exploit the vulnerability or weakness. Risk = Threat X Vulnerability X Impact
Risk Assessment Method
This risk assessment is based on the NIST SP 800-30 methodology conducted from a threat perspective.
The risk assessment used several common cyber security events and the Cyber Kill Chain developed Lockheed Martin to thwart advanced persistent threats. The Cyber Kill Chain places all of the actions of an attack into one of seven phases. For each of these actions counter actions can be defined that will either detect, deny, disrupt or degrade the attack.
The SPC environment was broken down into three basic classes of