Where to start? Know your assets!
To measure the impact of vulnerabilities on your assets, you have to understand what your assets are, and where their criticalities lay. This is a manual step that will enable automation. I am working on a way to automate this step in my company. More to follow on that.
Security folks understand Confidentiality, Integrity, and Availability. This is the basis of the CVSS score as well. These terms might not be so clear to system administrators who aren’t bathed in security daily. In my company, our system administrators risk rate their assets with three categories, and three risk levels (High, Medium, Low):
- Data Risk (Highest classification stored on the system)
- Network Location Risk (Proximity to the internet perimeter)
- Business Risk (Criticalty to the operation of the business)
Roughly translated, the Data Risk can be considered Confidentiality, the Network Location Risk can be considered Integrity, and the Business Risk can be considered Availability. This may seem like a stretch, but it works for us.
The sysadmins rate their assets this way because CIA isn’t easily understood by everyone.
Next, is to tie this in with the rest of your risk rating puzzle pieces, but that’s another blog post.
