Unit VIII

Information Security & Control

Information security controls are measures taken to reduce information security

risks such as information systems breaches, data theft, and unauthorized changes to
digital information or systems. These security controls are intended to help protect
the availability, confidentiality, and integrity of data and networks, and are
typically implemented after an information security risk assessment.

Types of information security controls include security policies, procedures, plans,

devices and software intended to strengthen cybersecurity.

There are three categories of information security controls:

 Preventive security controls, designed to prevent cyber security incidents

 Detective security controls, aimed at detecting a cyber security breach attempt

(“event”) or successful breach (“incident”) while it is in progress, and
alerting cyber security personnel

 Corrective security controls, used after a cyber security incident to help

minimize data loss and damage to the system or network, and restore critical
business systems and processes as quickly as possible (“resilience”)

Security controls come in the form of:

 Access controls including restrictions on physical access such as security

guards at building entrances, locks, and perimeter fences

 Procedural controls such as security awareness education, security

framework compliance training, and incident response plans and procedures

 Technical controls such as multi-factor user authentication at login (login)

and logical access controls, antivirus software, firewalls
  Compliance controls such as privacy laws and cyber security frameworks
and standards.

The most widely used information security frameworks and standards include:

 The National Institute of Standards and Technology (NIST) Special

Publication 800-53, Security and Privacy Controls for Federal Information
Systems and Organizations. This document lists security requirements useful
not only for federal agencies but for all organizations’ information security
risk management programs.

 The International Organization for Standardization (ISO) standard ISO

27001, Information Security Management, which provides guidance
on information technology security and computer security.

 The Payment Card Industry Data Security Standard (PCI DSS), which
establishes security requirements and security controls for the protection
of sensitive data associated with personal credit card and payment card
information

 The Health Insurance Portability and Accountability Act (HIPAA), a federal

law regulating information security and privacy protections for personal health
information

Frameworks and standards are systems that, when followed, help an entity to
consistently manage information security controls for all their systems, networks,
and devices, including configuration management, physical security, personnel
security, network security, and information security systems. They define what
constitutes good cybersecurity practices and provide a structure that entities can
use for managing their information security controls.

 Information – Resource/Asset
 Threats –
 Internal – Employee, Physical, Virus , System /Network failure,
 External – Competitors, Hackers, Virus, Natural calamities
Internal Control
 Training
 Passwords
 User Termination
 Access review
 Authorization levels
 Routine audit & maintenance
 Software & antivirus updates
 Physical access control
 Audit Trails

External Control
 Firewall Protection
 Remote Dial-in control

QUALITY ASSURANCE & QUALITY CONTROL

Quality assurance (QA) and quality control (QC) are two terms that are often
used interchangeably. Although similar, there are distinct differences
between the two concepts.

Quality assurance and quality control are two aspects of quality management.
While some quality assurance and quality control activities are interrelated,
the two are defined differently. Typically, QA activities and responsibilities
cover virtually all of the quality system in one fashion or another, while QC is
a subset of the QA activities. Also, elements in the quality system might not
be specifically covered by QA/QC activities and responsibilities but may
involve QA and QC. Figure 1 shows ISO 9000 definitions from ISO 9000:2015:
Quality management systems - Fundamentals and Vocabulary.
Quality Assurance
Quality assurance can be defined as "part of quality management focused on
providing confidence that quality requirements will be fulfilled." The
confidence provided by quality assurance is twofold—internally to
management and externally to customers, government agencies, regulators,
certifiers, and third parties. An alternate definition is "all the planned and
systematic activities implemented within the quality system that can be
demonstrated to provide confidence that a product or service will fulfill
requirements for quality."

 QA:- Maintenance of a desired level of quality in a service or product,

especially by means of attention to every stage of the process of delivery or
production
 Software quality assurance (SQA) is a process which ensures that developed
software meets and complies with defined or standardized quality
specifications

Quality Control
Quality control can be defined as "part of quality management focused on
fulfilling quality requirements." While quality assurance relates to how a
process is performed or how a product is made, quality control is more the
inspection aspect of quality management. An alternate definition is "the
operational techniques and activities used to fulfill requirements for quality."

Need of SQA:-
 Customer don’t expect failure
 Failures will have massive effects
  Delivering good quality

Difference between Quality Assurance (QA) and

Quality Control (QC)

Quality Assurance (QA) Quality Control (QC)

 It is a procedure that focuses  It is a procedure that focuses on

on providing assurance that fulfilling the quality requested.
quality requested will be
achieved

 QA aims to prevent the defect  QC aims to identify and fix defects

 It is a method to manage the  It is a method to verify the quality-

quality- Verification Validation

 It does not involve executing  It always involves executing a program

the program

 It's a Preventive technique  It's a Corrective technique

 It's a Proactive measure  It's a Reactive measure

 It is the procedure to create the  It is the procedure to verify that

deliverables deliverables

 QA involves in full software  QC involves in full software testing life

development life cycle cycle
  In order to meet the customer  QC confirms that the standards are
requirements, QA defines followed while working on the product
standards and methodologies

 It is performed before Quality  It is performed only after QA activity is

Control done

 It is a Low-Level Activity, it can  It is a High-Level Activity, it can identify

identify an error and mistakes an error that QA cannot
which QC cannot

 Its main motive is to prevent  Its main motive is to identify defects or

defects in the system. It is a less bugs in the system. It is a more time-
time-consuming activity consuming activity

 QA ensures that everything is  QC ensures that whatever we have

executed in the right way, and done is as per the requirement, and
that is why it falls under that is why it falls under validation
verification activity activity

 It requires the involvement of  It requires the involvement of the

the whole team Testing team

 The statistical technique  The statistical technique applied to QC

applied on QA is known as SPC is known as SQC or Statistical Quality
or Statistical Process Control Control
(SPC)

Ethical & Social Dimensions

Ethical Dimensions:-
 Inappropriate use of technology & resources
 Inefficiency
 Record manipulations
 Deletion /distortion of information
  Unauthorized access to database
 Fraudulent fund transfers
 Unauthorized use of passwords, cards, PINs etc
 Criminal hacking
 Developing & transferring viruses
 Unauthorized e-mail monitoring
 Unauthorized surveillance
 Privacy issues

Social Dimensions:-
 Automation leading unemployment
 New employments in IT area
 Creating knowledge based society
 New ways of wealth creation
 Globalization
 Removed social barriers
 Self centered society

Intellectual Property Rights (IPRs)

Intellectual property rights are legal rights that provide creators protection for
original works, inventions, or the appearance of products, artistic works,
scientific developments, and so on.

Although intellectual property rights protection may seem to provide a

minimum amount of protection, when they are utilized wisely, they can
maximize the benefit and value of a creation and enable world-changing
technology to be developed, protected, and monetized.

IPR as related to IT Services / Products

Intellectual Property Rights:-
 Creations of the mind for which exclusive rights are recognized
 Exclusive rights to a variety of intangible assets
 Musical, literary, and artistic works; discoveries and inventions; and words, phrases,
symbols, and designs
 Common types of intellectual property rights
include copyright, trademarks, patents, industrial design rights
 In IT era protecting IP is difficult
 Information can easily copied, distributed
IP related to IT Products/Services
 Invention of new technologies in computers
 Invention in networking – GPS
 Inventions in OS, software’s
  Invention in enterprise systems – SAP, ERP
 Inventions in mobile computing

There are four types of intellectual property rights (IP): patents,

trademarks, copyrights, and trade secrets.

Types of IPR
 Patent: Exclusive right granted for an invention, which is a product or a process that
provides a new way of doing something, or offers a new technical solution to a problem
 Trademarks:
 A trademark is a distinctive sign that identifies certain goods or services as
those produced or provided by a specific person or enterprise
 one or a combination of words, letters, and numerals.
 Copyrights:
 Legal term describing rights given to creators for their literary and artistic
works. literary works such as novels, poems etc.
 Trade Secret
 Trade secrets are the secrets of a business. They are proprietary systems,
formulas, strategies, or other information that is confidential and is not meant
for unauthorized commercial use by others. This is a critical form of protection
that can help businesses to gain a competitive advantage.

IPR related to IT Products/Services

IPR IT Service/Product

Copyrights New IT theories, methodologies

Trademarks New designs in OS, softwares

Patents New hardware devices, networking technologies

Computer crime

Computer crime is an act performed by a knowledgeable computer

user, sometimes referred to as a hacker that illegally browses or steals
a company's or individual's private information. In some cases, this
person or group of individuals may be malicious and destroy or
otherwise corrupt the computer or data files.
Examples of computer crimes
Below is a listing of the different types of computer crimes today.
Clicking on any of the links below gives further information about
each crime.
 Child pornography - Making or distributing child pornography.
 Copyright violation - Stealing or using another person's Copyrighted material without
permission.
 Cracking - Breaking or deciphering codes designed to protect data.
 Cyber terrorism - Hacking, threats, and blackmailing towards a business or person.
 Cyberbully or Cyberstalking - Harassing or stalking others online.
 Cybersquatting - Setting up a domain of another person or company with the sole
intention of selling it to them later at a premium price.
 Creating Malware - Writing, creating, or distributing malware
(e.g., viruses and spyware.)
 Denial of Service attack - Overloading a system with so many requests it cannot
serve normal requests.
 Doxing - Releasing another person's personal information without their permission.
 Espionage - Spying on a person or business.
 Fraud - Manipulating data, e.g., changing banking records to transfer money to an
account or participating in credit card fraud.
 Harvesting - Collect account or account-related information on other people.
 Human trafficking - Participating in the illegal act of buying or selling other humans.
 Identity theft - Pretending to be someone you are not.
  Illegal sales - Buying or selling illicit goods online, including drugs, guns, and
psychotropic substances.
 Intellectual property theft - Stealing practical or conceptual information developed
by another person or company.
 IPR violation - An intellectual property rights violation is any infringement of
another's Copyright, patent, or trademark.
 Phishing or vishing - Deceiving individuals to gain private or personal information
about that person.
 Salami slicing - Stealing tiny amounts of money from each transaction.
 Scam - Tricking people into believing something that is not true.
 Slander - Posting libel or slander against another person or company.
 Software piracy - Copying, distributing, or using software that was not purchased by
the user of the software.
 Spamming - Distributed unsolicited e-mail to dozens or hundreds of different
addresses.
 Spoofing - Deceiving a system into thinking you are someone you're not.
 Swatting - The act of calling in a false police report to someone else's home.
 Typosquatting - Setting up a domain that is a misspelling of another domain.
 Unauthorized access - Gaining access to systems you have no permission to access.
 Wiretapping - Connecting a device to a phone line to listen to conversations.

What is cybercrime?
Cybercrime is criminal activity that either targets or uses a computer, a
computer network or a networked device.

Most, but not all, cybercrime is committed by cybercriminals or hackers who

want to make money. Cybercrime is carried out by individuals or organizations.

Some cybercriminals are organized, use advanced techniques and are highly
technically skilled. Others are novice hackers.
Cybercrime that targets computers often involves viruses and other types of
malware.

Cybercriminals may infect computers with viruses and malware to damage

devices or stop them working. They may also use malware to delete or steal
data.

Cybercrime that stops users using a machine or network, or prevents a business

providing a software service to its customers, is called a Denial-of-Service
(DoS) attack.

Cybercrime that uses computers to commit other crimes may involve using
computers or networks to spread malware, illegal information or illegal images.

Sometimes cybercriminals conduct both categories of cybercrime at once. They

may target computers with viruses first. Then, use them to spread malware to
other machines or throughout a network.

Cybercriminals may also carry out what is known as a Distributed-Denial-of-

Service (DDos) attack. This is similar to a DoS attack but cybercriminals use
numerous compromised computers to carry it out.

The US Department of Justice recognizes a third category of cybercrime which

is where a computer is used as an accessory to crime. An example of this is
using a computer to store stolen data.

The US has signed the European Convention of Cybercrime. The convention

casts a wide net and there are numerous malicious computer-related crimes
which it considers cybercrime. For example:
 Illegally intercepting or stealing data.

 Interfering with systems in a way that compromises a network.

 Infringing copyright.
 Illegal gambling.
 Selling illegal items online.
 Soliciting, producing or possessing child pornography.
Examples of cybercrime

So, what exactly counts as cybercrime? And are there any well-known
examples?

In this section, we look at famous examples of different types of cybercrime

attack used by cybercriminals. Read on to understand what counts as
cybercrime.
Malware attacks

A malware attack is where a computer system or network is infected with a

computer virus or other type of malware.

A computer compromised by malware could be used by cybercriminals for

several purposes. These include stealing confidential data, using the computer to
carry out other criminal acts, or causing damage to data.

A famous example of a malware attack is the WannaCry ransomware attack, a

global cybercrime committed in May 2017.

Ransomware is a type of malware used to extort money by holding the victim’s

data or device to ransom. WannaCry is type of ransomware which targeted a
vulnerability in computers running Microsoft Windows.

When the WannaCry ransomware attack hit, 230,000 computers were affected
across 150 countries. Users were locked out of their files and sent a message
demanding that they pay a BitCoin ransom to regain access.

Worldwide, the WannaCry cybercrime is estimated to have caused $4 billion in

financial losses.

Phishing

A phishing campaign is when spam emails, or other forms of communication,

are sent en masse, with the intention of tricking recipients into doing something
that undermines their security or the security of the organization they work for.

Phishing campaign messages may contain infected attachments or links to

malicious sites. Or they may ask the receiver to respond with confidential
information

A famous example of a phishing scam from 2018 was one which took place
over the World Cup. According to reports by Inc, the World Cup phishing scam
involved emails that were sent to football fans.

These spam emails tried to entice fans with fake free trips to Moscow, where
the World Cup was being hosted. People who opened and clicked on the links
contained in these emails had their personal data stolen.

Another type of phishing campaign is known as spear-phishing. These are

targeted phishing campaigns which try to trick specific individuals into
jeopardizing the security of the organization they work for.
Unlike mass phishing campaigns, which are very general in style, spear-
phishing messages are typically crafted to look like messages from a trusted
source. For example, they are made to look like they have come from the CEO
or the IT manager. They may not contain any visual clues that they are fake.

Distributed DoS attacks

Distributed DoS attacks (DDoS) are a type of cybercrime attack that

cybercriminals use to bring down a system or network. Sometimes connected
IoT (internet of things) devices are used to launch DDoS attacks.

A DDoS attack overwhelms a system by using one of the standard

communication protocols it uses to spam the system with connection requests.

Cybercriminals who are carrying out cyberextortion may use the threat of a
DDoS attack to demand money. Alternatively, a DDoS may be used as a
distraction tactic while other type of cybercrime takes place.

How to protect yourself against cybercrime

So, now you understand the threat cybercrime represents, what are the best
ways to protect your computer and your personal data?

Keep software and operating system updated

Keeping your software and operating system up to date ensures that you benefit
from the latest security patches to protect your computer.

Use anti-virus software and keep it updated

Using anti-virus or a comprehensive internet security solution like Kaspersky

Total Security is a smart way to protect your system from attacks.

Anti-virus software allows you to scan, detect and remove threats before they
become a problem. Having this protection in place helps to protect your
computer and your data from cybercrime, giving you piece of mind.

If you use anti-virus software, make sure you keep it updated to get the best
level of protection.

Use strong passwords

Be sure to use strong passwords that people will not guess and do not record
them anywhere. Or use a reputable password manager to generate strong
passwords randomly to make this easier.

Never open attachments in spam emails

A classic way that computers get infected by malware attacks and other forms
of cybercrime is via email attachments in spam emails. Never open an
attachment from a sender you do not know.

Do not click on links in spam emails or untrusted websites

Another way people become victims of cybercrime is by clicking on links in

spam emails or other messages, or unfamiliar websites. Avoid doing this to stay
safe online.

Do not give out personal information unless secure

Never give out personal data over the phone or via email unless you are
completely sure the line or email is secure. Make certain that you are speaking
to the person you think you are.

Contact companies directly about suspicious requests

If you get asked for data from a company who has called you, hang up. Call
them back using the number on their official website to ensure you are speaking
to them and not a cybercriminal.

Ideally, use a different phone because cybercriminals can hold the line open.
When you think you’ve re-dialed, they can pretend to be from the bank or other
organization that you think you’re speaking to.

Be mindful of which website URLs you visit

Keep an eye on the URLs you are clicking on. Do they look legitimate? Avoid
clicking on links with unfamiliar or spammy looking URLs.

If your internet security product includes functionality to secure online

transactions, ensure it is enabled before carrying out financial transactions
online.

Keep an eye on your bank statements

Our tips should help you avoid falling foul of cybercrime. However, if all else
fails, spotting that you have become a victim of cybercrime quickly is
important.

Keep an eye on your bank statements and query any unfamiliar transactions
with the bank. The bank can investigate whether they are fraudulent.

Cyber Law
Information Technology is changing rapidly and gaining popularity in most of
our aspects of lives. Computer plays an important role in today’s era, but that
also includes the people involving in the commission of crimes using computers.
Our law enforcement must become more educated in the cyber sector just to be
able to keep up with all these types of criminal elements. One of the major
difficulties is about educating people on cyber laws and security practices, such
as handling sensitive data, records, and transactions, and implementing robust
security technology, such as firewalls, anti-virus software, intrusion detection
tools, and authentication services on the computer systems. Therefore, this blog
will work to explain a significant section of cyber security which is Cyber Law.

Cyber law, also known as cyber crime law, is legislation focused on the
acceptable behavioral use of technology including computer hardware and
software, the internet, and networks. Cyber law helps protect users from
harm by enabling the investigation and prosecution of online criminal
activity. It applies to the actions of individuals, groups, the public,
government, and private organizations.
Cyber law is like any other legal rule or policy that should be followed in our
day to day life to stay out of any kind of trouble. These laws are formed by
keeping several issues into consideration such as our society, morals, computer
ethics, etc. The only difference is that cyber law is applied to the internet and
internet-related technologies only. Cyber law is formed to maintain discipline
and justice in the cyber world. This area in the legal system is introduced
because the crime related to computers and other technology was increasing
rapidly. These types of crimes were not falling under the category of any
existing legal category therefore a separate section was formed named Cyber
Law.

Cyber law provides legal protections to people using the internet including both
businesses and regular citizens. It is important for anyone using the internet to be
aware of the cyber laws of their country and local area so that, they know what
activity is legal online and what is not. Also, if anything happens with them
online, they know how they can act regarding that matter accordingly.

Areas Encompassing in Cyber Laws

These laws cover many areas & activities occurring online and serve a variety of
purposes. Some laws are formed to protect to defend people online from
malicious activities, some laws explain the policies if using computers and the
internet in a company. All these wide categories fall under the cyber laws. Some
of the wide range areas encompassing the cyber laws are:

Scam/ Treachery

Cyber laws exist to protect people from online frauds and scams, these laws
prevent any financial crimes and identity theft that happen online.
Copyrighting Issues

The Internet is the source of multiple types of content, but it is not right to copy
the hard work of any other person. There are strict policies in cyber laws against
copyright that protects the creative work of companies and individuals.

Online Insults and Character Degradation

Online platforms like social media are the best platform to speak your mind
freely but there is a thin line between the liberation of using the right to speak
and defaming someone online. Cyber laws address issues like online insults,
racism, gender targets to protect a person’s reputation.

Online Harassment and Stalking

Harassment is a violation of both civil and criminal laws. This crime is a major
issue in cyberspace. The legal system has some strict laws to prohibit these
despicable crimes.

Data Protection

People using the internet risk their privacy while being online and often rely on
cyber laws and policies to protect their secrets. Also, companies should maintain
the confidentiality of data of their users.

Importance of Cyber Laws

Cyber laws are important to punish criminals who commit serious crimes related
to the computer such as hacking, online harassment, data theft, disrupting the
online workflow of any enterprise, attacking another individual or website.

Cyber laws decide different forms of punishment depending on the type of law
you broke, who you offended, where you violated the law, and where you live.

It is important to bring criminal behind the bars, as most cybercrimes do not

enter the category of common crime and it may lead to denial of justice.

These crimes may endanger the confidentiality and financial security of a nation
therefore these problems should be addressed lawfully.

Implementing laws in cyberspace is an important step to create a safe and secure

environment for people on cyber platforms. To protect from cybercrimes,
computer forensic science should focus on ethical hacking training and
implementing cyber security plans addressing people, process, and technology
issues arise nowadays. Strict cyber laws are the need of this era where
technology is growing at rapid speed because the budgets have not been
increased to keep up with this rate of change in technology.

Essential Skills in Cybersecurity

Strong analytical skills, combined with soft skills such as communication and critical
thinking competencies, are necessary for professional roles in cybersecurity and cyber
law.

Other essential skills for those seeking careers related to cybersecurity and cyber law
include competency with security tools and knowledge of security analysis, project
management, and data analytics.

 Security Tools: Security tools help organizations prevent and defend against
cyber crime, enabling a quick recovery from damages related to a cyber attack.
For example, a security information management tool can enhance visibility
 across a network’s infrastructure, while providing details of specific cyber
incidents.

 Security Analysis: Understanding how security tools fit into the cyber risk
management strategy of an organization is essential. In addition to addressing
known threats, identifying and analyzing risks is important to minimize successful
cyber attacks.

 Project Management: Adding new tools and software to the IT infrastructure

creates more management complexity. While security experts determined the
best antivirus, spam filtering, and other security tools, project management
directs their successful integration and acceptance throughout the organization.

 Data Analytics: While security tools provide vital data to identify and mitigate
cyber threats, data without insight delivers little benefit. Data analytics help
security professionals to decipher collected data to identify new and emerging
threats and determine effective countermeasures.

System Security Control and Audit

System Security
System security refers to protecting the system from theft, unauthorized access and
modifications, and accidental or unintentional damage. In computerized systems,
security involves protecting all the parts of computer system which includes data,
software, and hardware. Systems security includes system privacy and system
integrity.
 System privacy deals with protecting individuals systems from being
accessed and used without the permission/knowledge of the concerned
individuals.
 System integrity is concerned with the quality and reliability of raw as well
as processed data in the system.

System Audit
It is an investigation to review the performance of an operational system. The
objectives of conducting a system audit are as follows −
 To compare actual and planned performance.
 To verify that the stated objectives of system are still valid in current
environment.
 To evaluate the achievement of stated objectives.
 To ensure the reliability of computer based financial and other information.
 To ensure all records included while processing.
 To ensure protection from frauds.
Audit of Computer System Usage
Data processing auditors audits the usage of computer system in order to control it.
The auditor need control data which is obtained by computer system itself.

The System Auditor

The role of auditor begins at the initial stage of system development so that
resulting system is secure. It describes an idea of utilization of system that can be
recorded which helps in load planning and deciding on hardware and software
specifications. It gives an indication of wise use of the computer system and
possible misuse of the system.

Audit Trial
An audit trial or audit log is a security record which is comprised of who has
accessed a computer system and what operations are performed during a given
period of time. Audit trials are used to do detailed tracing of how data on the system
has changed.
It provides documentary evidence of various control techniques that a transaction is
subject to during its processing. Audit trials do not exist independently. They are
carried out as a part of accounting for recovering lost transactions.

Audit Methods
Auditing can be done in two different ways −

Auditing around the Computer

 Take sample inputs and manually apply processing rules.

 Compare outputs with computer outputs.

Auditing through the Computer

 Establish audit trial which allows examining selected intermediate results.

 Control totals provide intermediate checks.

Audit Considerations
Audit considerations examine the results of the analysis by using both the narratives
and models to identify the problems caused due to misplaced functions, split
processes or functions, broken data flows, missing data, redundant or incomplete
processing, and non addressed automation opportunities.
The activities under this phase are as follows −

 Identification of the current environment problems

  Identification of problem causes
 Identification of alternative solutions
 Evaluation and feasibility analysis of each solution
 Selection and recommendation of most practical and appropriate solution
 Project cost estimation and cost benefit analysis

Control Measures
There are variety of control measures which can be broadly classified as follows −

Backup

 Regular backup of databases daily/weekly depending on the time criticality

and size.
 Incremental back up at shorter intervals.
 Backup copies kept in safe remote location particularly necessary for disaster
recovery.
 Duplicate systems run and all transactions mirrored if it is a very critical
system and cannot tolerate any disruption before storing in disk.

Physical Access Control to Facilities

 Physical locks and Biometric authentication. For example, finger print

 ID cards or entry passes being checked by security staff.
 Identification of all persons who read or modify data and logging it in a file.

Using Logical or Software Control

 Password system.
 Encrypting sensitive data/programs.
 Training employees on data care/handling and security.
 Antivirus software and Firewall protection while connected to internet.

Risk Analysis
A risk is the possibility of losing something of value. Risk analysis starts with
planning for secure system by identifying the vulnerability of system and impact of
this. The plan is then made to manage the risk and cope with disaster. It is done to
accesses the probability of possible disaster and their cost.
Risk analysis is a teamwork of experts with different backgrounds like chemicals,
human error, and process equipment.
The following steps are to be followed while conducting risk analysis −
 Identification of all the components of computer system.
  Identification of all the threats and hazards that each of the components
faces.
 Quantify risks i.e. assessment of loss in the case threats become reality.

Risk Analysis – Main Steps

As the risks or threats are changing and the potential loss are also changing,
management of risk should be performed on periodic basis by senior managers.

Risk management is a continuous process and it involves the following steps −

 Identification of security measures.
 Calculation of the cost of implementation of security measures.
 Comparison of the cost of security measures with the loss and probability of
threats.
 Selection and implementation of security measures.
 Review of the implementation of security measures.