Scribd Logo
Upload

Welcome to Scribd!

  • 9) HND - SEC - W9 - Risk Assessment and Integrated Enterprise Risk Management.-2

    Uploaded by

    Dulanja Omesh
    7 views17 pages
    The document discusses security risks related to hardware, software, and organizational risk management. It summarizes key points about hardware and software risk assessment, the Data Protection Act of 1998, the Computer Misuse Act of 1990, and ISO 31000 Risk Management. The Data Protection Act established rules for handling personal data. The Computer Misuse Act made hacking and unauthorized computer access illegal. ISO 31000 provides principles for integrating risk management into governance and decision-making.

    Original Description:

    Original Title

    9) HND_SEC_W9_Risk Assessment and Integrated Enterprise Risk Management.-2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses security risks related to hardware, software, and organizational risk management. It summarizes key points about hardware and software risk assessment, the Data Protection Act of 1998, the Computer Misuse Act of 1990, and ISO 31000 Risk Management. The Data Protection Act established rules for handling personal data. The Computer Misuse Act made hacking and unauthorized computer access illegal. ISO 31000 provides principles for integrating risk management into governance and decision-making.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views17 pages

    9) HND - SEC - W9 - Risk Assessment and Integrated Enterprise Risk Management.-2

    Uploaded by

    Dulanja Omesh
    The document discusses security risks related to hardware, software, and organizational risk management. It summarizes key points about hardware and software risk assessment, the Data Protection Act of 1998, the Computer Misuse Act of 1990, and ISO 31000 Risk Management. The Data Protection Act established rules for handling personal data. The Computer Misuse Act made hacking and unauthorized computer access illegal. ISO 31000 provides principles for integrating risk management into governance and decision-making.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 17

    Unit 5 –Security

    LO3. Review mechanisms to control organisational IT


    security.
    9. Risk Assessment and Integrated Enterprise Risk
    Management.-2

    1
    Hardware and Software Risk
    Assessment
    ▪A security risk assessment identifies, assesses, and
    implements key security controls in applications. It also
    focuses on preventing application security defects and
    vulnerabilities.

    2
    Hardware Risks and Software Risks

    Hardware Risks Software Risks


    Computers with conventional Unpatched or out-of-date
    BIOS. operating systems
    Computers without pre-boot Unpatched web browsers
    authentication (PBA) or a
    Trusted Platform Module (TPM)

    3
    Hardware Risk

    ▪Computers with conventional BIOS.


    Older PCs, as well as laptops and notebooks, with
    conventional BIOS cannot run Secure Boot. Secure Boot
    helps to prevent malware from loading onto a computer
    during the boot process.

    4
    Software Risks

    ▪Unpatched or out-of-date productivity software


    Running unpatched versions of Microsoft Office,
    especially older versions like Office 2002, Office 2003
    and Office 2007, is risky.
    A common vulnerability is the potential for remote code
    execution when a user opens or previews a maliciously
    prepared file or visits a website containing content that
    exploits the vulnerability.

    5
    Data Protection Act of 1998

    ▪The Data Protection Act 1998 (DPA 1998) is an act of


    the United Kingdom (UK) Parliament defining the
    ways in which information about living people may be
    legally used and handled.
    ▪The main intent is to protect individuals against
    misuse or abuse of information about them.
    ▪The DPA was first composed in 1984 and was
    updated in 1998.

    6
    Why the Data Protection Act was
    developed?
    ▪Give protection
    ▪Lay down rules about “how data about people can be
    used?”
    ▪The Data Protection Act (1998) states that organizations
    which store personal information must register and state
    the purpose for which they need the information.

    7
    Data Protection Act of 1998

    Information or data stored on a computer or an organized


    paper filing system about living people in different
    departments such as:
    ▪Tax Office
    ▪National Insurance
    ▪Driver and Vehicle Licensing Centre
    ▪Police etc.

    8
    How the Act works?

    ▪By setting up rules that people have to follow.


    ▪Having an Information Commissioner to enforce the
    rules

    9
    Who’s involved?

    ▪The Information Commissioner


    The person (and her office) who has powers
    to enforce the Act.
    ▪A data controller
    A person or company that collects and keeps data about
    people.
    ▪A data subject is someone who has data about them
    stored somewhere, outside their direct control.

    10
    Computer Misuse Act of 1990

    ▪This is an Act to make provision for securing computer


    material against unauthorised access or modification;
    and for connected purposes.

    11
    It is designed to stop the 3 main
    offences under the act:

    ▪Unauthorised access to computer material (hacking).


    ▪Unauthorised access with intent to commit or facilitate
    commission of further offences.
    ▪Unauthorised modification of computer material.

    12
    ISO 31000 Risk Management

    ▪Risk is: The effect of uncertainty on the ability of an


    organization to meet its objectives.
    ▪Risk management is: The range of activities that an
    organization intentionally undertakes to understand and
    reduce these effects.

    13
    ISO 31000 Risk Management

    ▪Effective risk management is: Executing these


    activities efficiently and in a way that actually and
    demonstrably improves the ability of the organization to
    meet its objectives in a repeatable fashion.

    14
    ISO 31000 Risk Management

    ▪ISO 31000 provides direction on how companies can


    integrate risk-based decision making into an
    organisation’s governance, planning, management,
    reporting, policies, values and culture.
    ▪It is an open, principles-based system, meaning it
    enables organisations to apply the principles in the
    standard to the organisational context.

    15
    ISO 31000 contains:

    ▪A set of risk management terms and their definitions.


    ▪Set of principles for guiding and informing effective risk
    management for an enterprise.
    ▪An outline and process for creating a risk management
    framework.
    ▪An outline and process for creating a risk management
    process.

    16
    Lesson Summary

    ▪Hardware and Software Risk Assessment


    ▪Data Protection Act of 1998
    ▪Computer Misuse Act of 1990
    ▪ISO 31000 Risk Management

    17

    You might also like