Unit 5- Security

Pearson Higher National Diploma in Computing

By the end of this unit students will be able to:
1. LO1. Assess risks to IT security

2. LO2. Describe IT security solutions

3. LO3. Review mechanisms to control organisational IT security

4. LO4. Manage organisational security.

LO1 : ASSESS RISKS TO IT SECURITY 2

Lecture 2:
LO1. Assess risks to IT security

LO1 : ASSESS RISKS TO IT SECURITY 3

LO1. Assess risks to IT security

Lec 2 – risk management

LO1 : ASSESS RISKS TO IT SECURITY 4

Risk Management
Risk Management
“Process of identifying and assessing risk, reducing it to an acceptable level,
and implementing the right mechanisms to maintain that level”.

“Process of identifying, controlling and minimizing or eliminating security

risks that may affect information systems, for an acceptable cost.” ---
assessment of risk and the implementation of procedures and practices
designed to control the level of risk

LO1 : ASSESS RISKS TO IT SECURITY 5

Risk Management Contd.
Risk assessment
“ Assessment of threats to, impact on and vulnerabilities of information and information
processing facilities and the likelihood of their occurrence.”---identification of the risk, analysis of
the risk in terms of performance, cost, and other quality factors; risk prioritization in terms of
exposure and leverage
Includes;
◦Risk identification---decision driver analysis, assumption analysis, decomposition
◦Risk analysis---cost models, network analysis, decision analysis, quality factor analysis
◦Risk prioritization---risk leverage, component risk reduction

Risk control
◦Risk management planning---risk avoidance, transfer, reduction, element planning, plan
integration
◦Risk resolution---Simulations, benchmarks, analysis, staffing
◦Risk monitoring---Top 10 tracking, risk assessment, corrective action

LO1 : ASSESS RISKS TO IT SECURITY 6

Risk Management Contd.
Risk analysis
A tool for risk management
It is a method of identifying vulnerabilities and threats and assessing the possible
damage to determine where to implement security safeguards.
Security can be quite complex and it is easy to apply too much security, not
enough security, or the wrong security components, and spend too much money in
the process without attaining the necessary objectives.
Risk analysis helps companies prioritise their risks and shows management the
amount of money that should be applied to protecting against those risks in a
sensible manner.

LO1 : ASSESS RISKS TO IT SECURITY 7

Risk Management Contd.
Steps of a Risk Analysis
Many methods and equations can be used when performing a quantitative risk analysis, and many different variables can be
inserted into the process. This section covers some of the main steps that should take place in every risk analysis.

Step 1: Assign Value to Assets: For each asset, answer the following questions to determine its value:
What is the value of this asset to the company?
How much does it cost to maintain?
How much does it make in profits for the company?
How much would it be worth to the competition?
How much would it cost to re-create or recover?
How much did it cost to acquire or develop?
How much liability do you face if the asset is compromised?

LO1 : ASSESS RISKS TO IT SECURITY 8

Risk Management Contd.
Steps of a Risk Analysis

Step 2: Estimate Potential Loss per Threat: To estimate potential losses posed by threats, answer the
following questions:
What physical damage could the threat cause and at what cost?
How much loss of productivity could the threat cause and how much would that cost?
What is the value lost if confidential information is disclosed?
What is the cost of recovering from this threat?
What is the value lost if critical devices were to fail?
What is the single loss expectancy (SLE) for each asset, and each threat?

This is just a small sample of questions that should be answered. The specific questions will depend upon
the types of threats uncovered.

LO1 : ASSESS RISKS TO IT SECURITY 9

Example - severity of current threats versus the
probability of them occurring

LO1 : ASSESS RISKS TO IT SECURITY 10

Risk Management Contd.
Steps of a Risk Analysis
Step 3: Perform a Threat Analysis: Take the following steps to perform a threat analysis:
Gather information about the likelihood of each threat taking place from people in each department. Examine past
records and official security resources that provide this type of data.
Calculate the annualized rate of occurrence (ARO), which is how many times the threat can take place in a 12-month
period.

Step 4: Derive the Overall Annual Loss Potential per Threat: To derive the overall loss potential per threat, do the
following:
•Combine potential loss and probability.
•Calculate the annualised loss expectancy (ALE) per threat by using the information calculated in the first three
steps.
•Choose remedial measures to counteract each threat.
•Carry out cost/benefit analysis on the identified countermeasures.

LO1 : ASSESS RISKS TO IT SECURITY 11

Risk Management Contd.
Step 5: Reduce, Transfer, Avoid, or Accept the Risk
For each risk, you can choose whether to reduce, transfer, or accept the risk:

Risk transfer Buy insurance to transfer some of the risk, for example.
Risk acceptance Live with the risks and spend no more money toward protection.
Risk avoidance Discontinue the activity that is causing the risk.

LO1 : ASSESS RISKS TO IT SECURITY 12

 Risk Management Contd.
Steps of a Risk Analysis
Step 5 Contd. : Reduce, Transfer, Avoid, or Accept the Risk

Risk reduction methods

Install security controls and components.
Improve procedures.
Alter the environment.
Provide early detection methods to catch the threat as it’s happening and reduce the possible damage it can
cause.
Produce a contingency plan of how business can continue if a specific threat takes place, reducing further damages
of the threat.
Erect barriers to the threat.
Carry out security-awareness training.
LO1 : ASSESS RISKS TO IT SECURITY 13
Risk Management Components
A Risk Management Policy aligned to the organisation’s General Risk Management policy
An established risk acceptance level provided by senior management
Documented risk assessment processes and procedures
Procedures for identifying and mitigating risks with the introduction of suitable controls
Appropriate resource and fund allocation from senior management
Contingency plans where assessments indicate they are necessary

LO1 : ASSESS RISKS TO IT SECURITY 14

Risk Management - Five Principles
◦ I. Assess risk and determine needs

◦ II. Establish a central management focus

◦ III. Implement appropriate policies and related controls

◦ IV Promote awareness

◦ V Monitor and evaluate policy and control effectiveness

LO1 : ASSESS RISKS TO IT SECURITY 15

Upcoming
Lecture 3: Organizational Security

LO1 : ASSESS RISKS TO IT SECURITY 16