Not logged in - Login
View History

Vulnerabilities

Conducting a Business Continuity Risk Assessment requires individual vulnerabilities, that might increase the organisation’s exposure to certain threats, to be identified. A vulnerability is defined as:

“A weakness in a resource or group of resources that can be exploited by one or more threats.”

Vulnerabilities can be included with the Information Security Assessment also. To add vulnerabilities to either assessment is as follows;

Adding vulnerabilities

Vulnerabilities are added at an BC Assessment or IS Assessment level. To manage vulnerabilities, select "Identify Vulnerabilities" from the assessment workflow.
Assessment Workflow

Vulnerabilities can only be modified when the vulnerability assessment is unlocked. To do this, click “Modify the Vulnerability Assessment” in the sidebar. Additional vulnerabilities can now be added by clicking the “Add vulnerability” link. Vulnerabilities can also be added from the Abriska “Vulnerability Library” which contains template examples of vulnerabilities. Once all of the vulnerabilities have been added, to progress onto the next stage of the risk assessment, click “Complete Vulnerability Assessment”.

Adding a vulnerability

When initially adding a vulnerability, only the name and description fields are required. The reference will be automatically generated by Abriska depending on the next available reference number. Once a vulnerability is added, it needs to be classified in terms of vulnerability type, what resources/asset it is linked to, and which threats it affects. Vulnerability types are explained below, see Conducting a Business Continuity Risk Assessment for an explanation of how to link vulnerabilities with resources and threats.

After a new vulnerability is added, each threat that is linked to it must be reviewed.

Vulnerability Types

Each vulnerability could affect an organisation’s resources in a different way. It could be a combination of the factors described below.
  • Increase likelihood -The resources that are affected by this vulnerability are more likely to be affected by the threats that this vulnerability is linked to. For example, if an organisation’s HQ is located on a flood plain then there is a higher chance of flooding.
  • Increase impact - Due to this vulnerability, the impact on the organisation would be greater. For example, if a single point of knowledge exists within a worker, there would be an increase impact of the threat loss of key staff.
  • Increase duration - Due to this vulnerability, the time to recover the related resources after an incident is increased. For example, if specialised/unique equipment is used within a process then if this fails there will be added increased time to recover.

Types are entered against each vulnerability under the “Types” tab.