QUEZON CITY UNIVERSITY

COLLEGE OF COMPUTER STUDIES

IAS101 – FUNDAMENTAL OF INFORMATION ASSURANCE AND SECURITY 1

NAME: Vida, John Paul S.

STUDENT NO: 20-2167
YEAR/SECTION: 3rd Year / SBIT - 3L
DATE: 3-7-23

Risk Management
●Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to
an acceptable level.
●The risk management approach determines the processes, techniques, tools and team roles and
responsibilities for a specific project.
●The risk management plan describes how risk management will be structured and performed on the
project.

Approaches to Risk Management

- The most common approach to risk management is to manage individual risks recorded and
assessed in a project risk register (PRR).
- Although this approach is relatively simple and likely to add value if implemented competently, it
should be assumed to be best - practice.
- There are alternative approaches that have the potential to add more value.
- A project with high-risk management capability will recognize this and select tools and techniques
appropriate to circumstances and purposes of the project.

APPROACH NO. 1: TOP-DOWN MULTI-PASS PROCESS

This approach can be used from the outset of a project. It is based on the principles that:
●One needs to start with a high level understanding of the project risk is understood, quantified and
managed in an appropriate and rational manner.
●The risk management process should address the key questions that require risk-based decisions.
●Key risk questions may change from one pass of the risk management process to the next
depending upon insights gained from the previous pass and other events that have occurred in the
meantime.
●Risk management techniques should be selected to address the key questions – different
techniques may be required during successive passes of the process.
●These techniques can be used to optimize decisions that shape the project solution.

APPROACH NO. 2: QUANTITATIVE RISK-BASED FORECASTING

●This approach involves modeling the implications of a project plan to obtain a risk-based forecast for
the project cost and/or the completion dates for key milestones.
●This may be particularly valuable information at key project authorization points when governance
requirements include confidence forecasts. In some cases, it may also be possible to apply similar
modeling techniques to the project’s products.

APPROACH NO. 3: RISK REGISTER

●This is the common-practice approach of using a single-pass approach to identify a list of risks and
enter them into a risk register for assessment and risk response planning.
●Risks are then reviewed on a regular basis to update the risk information and verify that risk
responses are implemented.

Business Impact Analysis (BIA)

Business Impact Analysis - is a systematic process to determine and evaluate the potential effects of
an interruption to critical business operations as a result of a disaster, accident or emergency.
 QUEZON CITY UNIVERSITY
COLLEGE OF COMPUTER STUDIES

How to conduct a BIA?

- Gathering information
- Evaluating the collected information
- Preparing a report to document the findings
- Presenting the results

Business Continuity Plan (BCP)

●Business Continuity Planning - is the process involved in creating a system of prevention and
recovery from potential threats to a company.
●The plan ensures that personnel and assets are protected and are able to function quickly in the
event of a disaster.
●The BCP is generally conceived in advance and involves input from key stakeholders and
personnel.
●BCP involves defining any and all risks that can affect the company's operations, making it an
important part of the organization's risk management strategy.
●Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks.
Once the risks are identified, the plan should also include:
- Determining how those risks will affect operations
- Implementing safeguards and procedures to mitigate the risks
- Testing procedures to ensure they work
- Reviewing the process to make sure that it is up to date

Disaster Recovery Plan (DRP)

Disaster Recovery Plan (DRP) - is a plan for business continuity in the event of a disaster that
destroys part or all of a business's resources, including IT equipment, data records and the physical
space of an organization.

Stages of a Disaster Recovery Plan

The goal of a DRP is to resume normal computing capabilities in as little time as possible. A typical
DRP has several stages, including the following:
- Understanding an organization's activities and how all of its resources are interconnected.
- Assessing an organization's vulnerability in all areas, including operating procedures, physical space
and equipment, data integrity and contingency planning.
- Understanding how all levels of the organization would be affected in the event of a disaster.
- Developing a short-term recovery plan.
- Developing a long-term recovery plan, including how to return to normal business operations and
prioritizing the order of functions that are resumed.
- Testing and consistently maintaining and updating the plan as the business changes. A key to a
successful DRP is taking steps to prevent the likelihood of disasters from occurring, such as using a
hot site or cold site to back up data archives.

Benefits accrue from an IT risk assessment

An IT risk assessment does more than just tell you about the state of security of your IT infrastructure;
it can facilitate decision-making on your organizational security strategy.

Some of the benefits of conducting an IT risk assessment are:

●Identify security threats and vulnerabilities Conducting an IT risk assessment can help locate
vulnerabilities in your existing IT infrastructure and enterprise applications, before these are
exploited by hackers. Appropriate action can then be taken to patch and fix these vulnerabilities,
reducing IT risk and the potential impact of any breach.
●Identify the maturity level of existing security controls and tool usage An IT risk assessment can help
evaluate the existing defenses and preventive / corrective controls in place. The identified areas of
improvements can then be mapped against the current technology landscape to ascertain if
improvements are possible (additional security controls or a possible correlation of data arising from
these controls that can result in advanced threat intelligence, for instance). The IT assessment thus
highlights remediation measures to maximize current investments.
 QUEZON CITY UNIVERSITY
COLLEGE OF COMPUTER STUDIES

●Enhance enterprise-wide security policies Not only will the assessment help plug holes in your
security, but, by tying IT risk to enterprise-wide risk management, it can help create more secure
solutions, practices and policies within the organization. This will improve the overall security of
information in the organization, and help identify what security strategy best suits your organization.
●Gauge security awareness and readiness An IT risk assessment needs the involvement of various
IT security personnel, as well as other employees and managers, which will help you gauge how
aware various individuals and departments are of security threats, vulnerabilities, practices and
solutions.

Risk Mitigation
- Risk mitigation strategies are designed to eliminate, reduce or control the impact of known risks
intrinsic with a specified undertaking, prior to any injury or fiasco.
- With these strategies in place, risks can be foreseen and dealt with. Fortunately, today’s technology
allows businesses to formulate their risk mitigation strategies to the greatest capacity yet.
- While every organization needs to identify the strategies that are most appropriate for them, here
are a few simple strategies to perfect the process.

Risk Evaluation
Appropriate risk reduction methods cannot be developed until the possible hazards, disadvantages or
losses are thoroughly evaluated.
The steps included in risk evaluation are as follows.
1. Identification - Risk identification must include whether the risk is, first and foremost, preventable.
These risks come from within — they can usually be managed on a rule-based level, such as
employing operational procedures monitoring and employee and manager guidance and instruction.
2. Impact Assessment - Determine the probability and significance of certain "risky" events.
Anticipated risks can (and should) be rated according to their degree of probability.
3. Develop Strategy - Risk mitigation planning strategies and implementations should be developed
for risks categorized as high or medium probability. Low risks may be tracked or
monitored for impact but are less important in this step