Threat Models for Information Security
We will identify actual threats to information security
What is a threat model?
A threat model is a description of the properties or characteristics of threats to information security. This can be personal information (152-FZ), commercial or other information, the disclosure of which can have negative consequences for the company or employees. The threat model is developed to determine the relevant threats to information security being processed in the personal account. The list of relevant information security threats is intended for the formation of appropriate requirements for ensuring information security and the development of the composition and content of protection measures
What do we offer?
- Development of threat model documents
- Description of information security threats
- Updating the threat model
- Description of possible violations (external and internal)
- Determining the level of protection of personal data and recommendations for their protection
Additional work
01.
Search for evidence of illegal activities in the company's information space
02.
Planning the life cycle of software development
03.
Source code audit
Threat Model Development Process
01.
Analysis of the information system and internal documentation
02.
Analysis of the execution environment and infrastructure
03.
Development of the threat model
04.
Compilation of a list of recommendations to eliminate threats
What will you receive?
As a result of our work, you will receive documents — a Threat Model with a description of potential problems and solutions that can lead to negative consequences.
Our clients receive a detailed report on the current state of information protection, data security within the system, potential risks and threats to which data is exposed. As a result of the work, we issue instructions for improving the situation, depending on the scale and specifics of the project being studied.
Additional work may be carried out if necessary: source code audit, planning the life cycle of software development, searching for evidence of illegal activities in the company’s information space, etc. Our experts have extensive experience in this field and are ready to perform an audit of information security of automated systems, as well as an audit of the security of software products.
Example document structure
List of terms and abbreviations
We provide a list of terms and abbreviations used in this document
Introduction
We indicate the goals of creating this document, its content and a description of the object of protection
1. General provisions
1.1. Full name of the system and its abbreviated name
1.2. List of initial documents on information security PDn
1.3. List of initial documents on information security and other confidential data
2. Description of the personal account
2.1. Landscape personal account
2.1.1. Development environment personal account
2.1.2. Testing environment personal account
2.1.3. Industrial exploitation environment personal account
2.2. Functional components
2.3. Software and hardware
2.4. Protected resources
2.5. personal account users
2.5.1. Internal users
2.5.2. External users
2.5.3. Supporting staff
2.6. Characteristics of the security of protected resources
3. Model of an information security violator, processed in personal account
3.1. General description of the violator of information security
3.2. Model of the violator of information security PDn, processed in personal account
3.2.1. External violator
3.2.2. Internal violator
3.2.3. Likely violators of security
3.2.4. Description of the capabilities of likely violators
3.3. Model of the violator of information security and other confidential information, processed in personal account
3.3.1. External violator
3.3.2. Internal violator
3.3.3. Likely violators of security
3.3.4. Description of the capabilities of likely violators
4. Model of threats to information security, processed in personal account
4.1. Model of threats to the security of PDn, processed in personal account
4.1.1. Threat sources
4.1.2. Initial security level of the ISPDn
4.1.3. Description of threats to security
4.1.4. Relevance of security threats
4.1.5. Conclusion
4.2. Model of threats to the security of other confidential information, processed in personal account
4.2.1. Threat sources
4.2.2. Description of threats to security
4.2.3. Relevance of security threats
4.2.4. Conclusion
Cost of work
Our specialists determine the scope of the discussed project during the pre-project survey, describe the main tasks, and calculate the labor costs for their implementation. Based on the obtained information, we prepare a personalized commercial offer, where we indicate what is planned to be done, in what time frame and at what cost
The basic cost of the project is from 500 000 rubles
The cost of work depends on:
- The complexity of the task
- The size of the automated business process
- The expected number of business processes