Modelling risk in a business manner

Taking this model as correct there are a number of risks that are relevant to each layer of the business model as shown in the diagram below:

Figure 7 - Modelling business processes (2)

Any business process will have possible business impacts associated with it. These are either 'good' (opportunities) or 'bad' (security risks) to the business. These can only be determined by the business itself, so business input is critical.

The business shall identify the high-level business processes and the risks associated with them

Applications will hold data, some of which will be critical (i.e. more important or sensitive that the normal 'run of the mill' data). To define the level of security required above the baseline for all 'normal' data will be determined by a detailed risk assessment process for the application and its data.

The majority of applications in any organisation are rarely regarded as critical in risk terms. Such applications are typically process control, funds transfer, web merchandising etc. These applications will require a specific risk assessment of their own as the controls to be implemented on them will be more than the 'run of the mill' controls of the remainder of the application that are covered under the 'infrastructure' risks

To determine business impacts a number of workshops with the business owners must be undertaken.

An Introduction To Information, Network and Internet Security
Modelling risk in a business manner Taking this model as correct there are a number of risks that are relevant to each layer of the business model as shown in the diagram below: Figure 7 - Modelling business processes (2) Any business process will have possible business impacts associated with it. These are either 'good' (opportunities) or 'bad' (security risks) to the business. These can only be determined by the business itself, so business input is critical. The business shall identify the high-level business processes and the risks associated with them Applications will hold data, some of which will be critical (i.e. more important or sensitive that the normal 'run of the mill' data). To define the level of security required above the baseline for all 'normal' data will be determined by a detailed risk assessment process for the application and its data. The majority of applications in any organisation are rarely regarded as critical in risk terms. Such applications are typically process control, funds transfer, web merchandising etc. These applications will require a specific risk assessment of their own as the controls to be implemented on them will be more than the 'run of the mill' controls of the remainder of the application that are covered under the 'infrastructure' risks To determine business impacts a number of workshops with the business owners must be undertaken.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security