assessing risk and vulnerabilities

qwertyiop

When assessing risk and vulnerabilities with any IT system, what are the 'critical' elements?

Turgon

qwertyiop wrote: »

When assessing risk and vulnerabilities with any IT system, what are the 'critical' elements?

That most likely depends on what you define as risk and vulnerability. A system may be potentially vulnerable to attack but if the risk is low and the risk of mitigating or eliminating that vulnerability is high in the sense of possibly screwing up the system then you have a critical element that goes beyond the device itself i.e the impact of system loss. You also have the cost of reducing risk. Its an interesting subject that goes around in circles unless you have some kind of template in mind to help with assessments. I imagine that is what you are looking for and it will vary from standard to standard. Financial risk, operational risk, business continuity risk, security risk.