threat_modelling
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
threat_modelling [2019/08/06 17:37] – neil | threat_modelling [2019/08/09 06:53] – neil | ||
---|---|---|---|
Line 10: | Line 10: | ||
You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario" | You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario" | ||
- | ====Why do you care?==== | + | ====Key points ====Â |
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | Â | ||
+ | ====What are trying to protect?==== | ||
The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand what are the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future. | The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand what are the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future. | ||
Line 43: | Line 51: | ||
When you’ve got a list of risks and potential mitigations, | When you’ve got a list of risks and potential mitigations, | ||
- | ====Prioritising | + | ====Prioritise |
Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them. | Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them. | ||
Line 52: | Line 60: | ||
- | ====Writing | + | ====Write it down==== |
You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things. | You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things. | ||
- | ====Repeating | + | ====Make this a regular thing====Â |
- | You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently. | + | You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently, depending on the likelihood of a risk arising, and the severity of the impact if it did. |
If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that. | If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that. | ||
+ | |||
+ | If you have a compliance calendar, to help you meet your numerous regulatory obligations, |
threat_modelling.txt · Last modified: 2021/10/15 10:25 by neil