Tech Kettle

When classified data are disclosed or lost, an organization could experience tremendous unrest that impacts their business, like facing a bad reputation and loss in income. Classified data could be critical or sensitive to a business, but what is the difference between the two ? Sensitive data are meant to be confidential. When sensitive data are disclosed, the competitiveness stance of the business could be weakened or brutally shattered. An organization could also be put liable on a data breach if it hasn't shown due care and due diligence in managing its security. Critical data are meant to ensure availability, in this case when data are lost, the service that relies on it will not be available, in some cases a whole business could be impacted. Critical data can range from configuration files to a set of business data.  

  Threat and vulnerability are two tightly coupled aspects . There is no point to focus on a vulnerability if the threat doesn’t exist, similarly you can’t stress on a threat, if your asset is not concerned with the vulnerability (or weakness).   The question one should ask is “What are the risks to my asset ?” , and to answer this we need to run a whole Business Impact Analysis (BIA), which involves qualitative and quantitative risk assessment. As a general equation:  Risk = Vulnerability x Threat On the basis of the above equation, we can conclude that if an asset has a Vulnerability and that Vulnerability is exposed to a known Threat, then the asset is at Risk.  Now that the two elements exist you need to tackle just one of the two not both, to eliminate the risk. originally posted here