Help with a risk assessment
Posted on 2011-10-20
Can someone talk through a risk assessment with me so I can get the understanding? The tech “risk factors” we have identified are CIAA (confidentiality, integrity, availability, accountability).
The technologies we want to assess are use of encryption of portable USB devices and mobile devices such as blackberry, the use of 2-factor authentication for remote web services such as VPN or citrix, and using mobile devices as thin clients – i.e. can view exchange mail but can’t save any data locally onto the device.
Am I correct in thinking you essentially saying in a risk assessment, e.g.:
“without using 2-factor authentication – the confidentiality risks are xyz, the integrity risks are xyz, the availability risks are xyz, the accountability risks are xyz…”
Or does not every control have all these risk categories when not in operation?
For example lack of encryption I can see can lead to loss of confidentiality. But can you give some examples on accountability, integrity, accountability for this? Just so I can see some examples?
Perhaps same for 2-factor authentication and thin clients, if I could see some example risks for conf, integrity, availability, and accountability I can get my head around this much more.