How do we decide what level of security a particular product should have? How do we determine by what mechanisms, technologies or measures we achieve that level of security?
The answer is partly in the above; in our security requirements, standards, procedures and guidelines, which are designed to ensure a certain security baseline and common practices. However, these cannot tell us what is appropriate for a particular product in a particular environment or context (whether technical, geographical or with regards to the threat environment, or the type of the data it processes).
For example, what level of security should we have for an international cloud payroll system, for an on-premise ERP system, a mobile expense app, a system for handling boardroom activities or even a bank integration? What are the risks of unwanted or unauthorised destruction, misuse or disclosure of data for each product? What are the threats against each product?
The answer to these questions are determined through risk assessments. The risk assessment aims to determine which technical and organisational measures are required in order to ensure a level of security that is appropriate to the risk represented by the processing of data (customer data and personal data), having regard to the context of the product in question.
Specifically within VASP and VCDM, this is done in three ways (see sub-sections).