As part of my goal of wanting to post some risk scenarios and accompanying assessments on the blog, I went ahead and posted a profile of a company (and one of its subsidiaries) over on the “Initech, Inc” page. Instead of having to write background and “given” information for each and every risk scenario – doing it once will save a lot of time.
This approach is also important, because it underscores the importance of analyzing risk elements within the context of the organization that faces the exposure. Company X may have a strong security posture where Company Y may have a weak security posture. Thus, a threat agent may be able to come in contact, take action against, and overcome Company Y’s security controls but not be successful against Company X. It would not be reasonable for Company X’s information security risk assessors to assume that since Company Y was impacted by a risk scenario that they are equally as vulnerable as well.
So, take a look at the “Initech, Inc.” page, have a good chuckle, and stay tuned for some upcoming risk scenarios, assessments, and interesting dialogue.