Identify your vulnerabilities and threats
You need to think about the vulnerabilities and threats you face and their impact on your organisation. Consider the following questions to help you assess your organisation’s risks:
Where is your organisation vulnerable?
Identify areas where your organisation might be vulnerable to security breaches (deliberate or accidental). Determine which vulnerabilities might be exploited and how this might be limited.
A vulnerability is a weakness in your information security defences. To assess your vulnerabilities, you need to understand where your defences are weak. An annual security self-assessment is a great starting point for identifying your security vulnerabilities.
The following resources have more information on essential information security practices that organisations should adopt.
- Cyber Security and Risk Management: An Executive level responsibility (PDF, 1,249KB) —National Cyber Security Centre
- Critical Controls — CERT NZ — check this page for frequent updates
- Strategies to Mitigate Cyber Security Incident (essential eight) — Australian Cyber Security Centre
- Self Assessment and Reporting on your security capability maturity
- New Zealand Information Security Manual (NZISM)
What threats do you face?
Identify and document the potential threats to your information security and ensure that this information is kept current. Ask yourself, ‘Who would benefit from having access to our organisation’s information and what information would they want?’
Threats to the security of your information can come from inside and outside your organisation. Your information in all forms — electronic, printed and spoken — needs appropriate protection. Information stored and processed on IT systems or mobile devices is vulnerable to cyber-specific threats.
Threats evolve continually. Your chief security officer (CSO) should refer to the following threat catalogues to stay ahead of the emerging threats:
Cyber threat reports — National Cyber Security Centre
Current Activity — US Computer Emergency Readiness Team
Software Engineering Institute — Carnegie Mellon University
What impact would a security breach have?
Assess how your organisation would be impacted if your information security is breached. Think about the confidentiality, integrity, and availability of your information. Think about how your people, clients, and partners would be impacted.
Consider the impact on your organisation if:
- a database with sensitive information was corrupted
- an unauthorised person deliberately accessed and shared sensitive information with the media
- information was accidentally released to third parties.
Page last modified: 4/05/2022