An ISP is a detailed plan in which the company measures its risk. Most ISP assessments looking at a company’s strategic, Tactical and Operational plan. The plan also rank and assess amount of risk the company is taking these documents normally take account for contain such as Privacy, Policy, audit, Compliance and technical security and Access control. This plan also details how to protect the company’s information. And also should have a roster of people in the organization.
Strategic has organization and Authority. Enterprise security framework and Security vision and strategy. (BCP, Back up servers)
Tactical has Policy, audit & compliance, risk management, privacy, awareness and education. (Training, user agreements and checks and balances.)
Operational access control, monitoring, assets and physical. (Gates, PTZ and turnstiles)
The stuxnet virus made an Iranian nuclear facility lose the availability of their nuclear reactors when the virus made raised the RPM of the rotors spin so fact that they physically broke. So at that point they had no way to use the reactor until it was fixed.
If some way was to comprise an email hash and was able to change around the message then that would damage the integrity of the message because we don’t know what the original message looked like.
By someone giving up secret information they could out us Assets and unveil spies confidently. Well the amount of data can be counted in risk assessment in a qualitative manor. There is no way to really but a number price on to lost data also when it comes to human loss of life. But when it comes to something like damaged computers you can assess that in a quantitative manor. You can place a number on that and say that it cost an dollar amount and if need be it can be replaced.