đź”’ Cybersecurity for lawyers

User Tools

Site Tools

Trace:
threat_modelling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
threat_modelling [2019/08/06 17:37] – neilthreat_modelling [2019/08/09 06:53] – neil
Line 10: Line 10:
 You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario". You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario".
  
-====Why do you care?====+====Key points ==== 
 +  * [[threat_modelling#What are trying to protect?|What are trying to protect?]] 
 +  * [[threat_modelling#Who is your threat?|Who is your threat?]] 
 +  * [[threat_modelling#How are you vulnerable?|How are you vulnerable?]] 
 +  * [[threat_modelling#Prioritise your response|Prioritise your response]] 
 +  * [[threat_modelling#Write it down|Write it down]] 
 +  * [[threat_modelling#Make this a regular thing|Make this a regular thing]] 
 + 
 +====What are trying to protect?====
 The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand what are the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future. The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand what are the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future.
  
Line 43: Line 51:
 When you’ve got a list of risks and potential mitigations, you can then prioritise and start to implement. When you’ve got a list of risks and potential mitigations, you can then prioritise and start to implement.
  
-====Prioritising your response====+====Prioritise your response====
  
 Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them. Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them.
Line 52: Line 60:
  
  
-====Writing it down====+====Write it down====
 You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things.  You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things. 
  
-====Repeating this exercise==== +====Make this a regular thing==== 
-You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently. +You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently, depending on the likelihood of a risk arising, and the severity of the impact if it did
  
 If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that. If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that.
 +
 +If you have a compliance calendar, to help you meet your numerous regulatory obligations, make perhaps a quarterly or half-yearly action to review your risk categorisation, and your security measures.
threat_modelling.txt · Last modified: 2021/10/15 10:25 by neil