tiêu chuẩn và thực tiễn thực thi môi trường C2 hiện tại và phù hợp. Người quản trị hệ thống phải được đào tạo và trao quyền để làm công việc của họ. Có phải được định kỳ đánh giá rủi ro và kiểm toán chính thức để đảm bảo tuân thủ chính sách. | Modification The primary impact of this class of threats is on the integrity requirement. Recall that integrity as defined in the GSP includes both accuracy and completeness of the information. A hacker attempt would fall into this class of threat if changes were made. Destruction A threat which destroys the asset falls into the destruction class. Assets that have a high availability requirement are particularly sensitive to destruction. Threats such as earthquake flood fire and vandalism are within the destruction class. Removal or Loss When an asset is subject to theft or has been misplaced or lost the impact is primarily on the confidentiality and availability of the asset. Portable computers or laptops are particularly vulnerable to the threat of removal or loss. Threat Likelihood The practitioner must consider on a per-asset basis both the type of threat that the asset may be subjected to and the likelihood of the threat. The likelihood of threat can be estimated from past experience from threat information provided by lead agencies and from sources such as other organizations or services. Likelihood levels of low medium and high are used according to the following definitions Source Government of Canada Security Policy Not Applicable may be used to indicate that a threat is considered not to be relevant to the situation under review. Low means there is no history and the threat is considered unlikely to occur. Medium means there is some history and an assessment that the threat may occur. High means there is a significant history and an assessment that the threat is quite likely to occur. Consequences Impact and Exposure Once the assets are listed and the threats are categorized according to the five major classes the practitioner must assess the impact of a threat occurring in the absence of any safeguards. In order to assess the impact the practitioner must be able to understand and describe the business of the organization. The practitioner must consider .