P5 - Discuss risk assessment procedures
Added on 2021-09-08
46 Pages15259 Words371 Views
Contents
I. Risk Assessment Procedures (P5): ............................................................................................................................ 5
1. Definition of risk and risk assessment: ................................................................................................................ 5
2. Asset and threat identification procedures: ........................................................................................................ 7
2.1. Asset and threat: ........................................................................................................................................... 7
2.2. Threat identification procedures: ................................................................................................................. 8
3. Risk assessment procedure: ................................................................................................................................ 8
4. Risk identification steps: .................................................................................................................................... 10
II. Data protection processes and regulations as applicable to an organization (P6): ............................................... 11
1. Definition of data protection: ............................................................................................................................ 11
2. Data protection processes with relations to organization: ............................................................................... 12
3. The importance of data protection regulation: ................................................................................................. 13
III. Design and implement a security policy for an organization (P7): ....................................................................... 16
1. Definition and discussion of security policy: ..................................................................................................... 16
2. Examples of security policies: ............................................................................................................................ 18
3. The elements of creating security policy: .......................................................................................................... 32
4. Steps to design a policy: .................................................................................................................................... 34
IV. Main components of an organizational disaster recovery plan, justifying the reasons for inclusion (P8): .......... 37
1. Business continuity: ........................................................................................................................................... 37
2. Components of recovery plan: .......................................................................................................................... 38
3. Disaster recovery process steps: ....................................................................................................................... 41
4. Some of the policies and procedures required for business continuity: ........................................................... 44
Figure 1: What is risk? ............................................................................................................................................. 4
Figure 2: IT risk assessment ..................................................................................................................................... 5
Figure 3: Asset and threat identification .................................................................................................................. 6
Figure 4: Data protection ...................................................................................................................................... 10
Figure 5: Data protection process .......................................................................................................................... 11
Figure 6: IT security policy ..................................................................................................................................... 14
Figure 7: Business Continuity Plan ......................................................................................................................... 30
Figure 8: Components of disaster recovery plan .................................................................................................... 33
Figure 9: BCP Lifecycle ........................................................................................................................................... 37
I. Risk AssessmentProcedures (P5):
1. Definition of risk and risk assessment:
a) Security risk
Security risk encompasses the consequences that could arise due to the risks and weaknesses associated with the
operation and use of information systems and the environments under which such systems function for an entity
and its stakeholders. In terms of the types of effect that may arise from the occurrence of a security-related
event, security risk overlaps with many other types of risk. Factors attributed to other risk categories, including
strategic, budgetary, program management, investment, political, legal, supply chain, and enforcement risk, also
affect it. Financial losses, loss of privacy, reputational damage, legal consequences, and even loss of life are
examples of risk.
b) Risk assessment
A Security Risk Assessment (or SRA) is an assessment that includes defining the risks in your company, your
technology, and your processes to verify that security threats are covered by controls in place. Compliance norms,
such as PCI-DSS requirements for payment card authentication, usually include security risk assessments. As part
of a SOC II audit for service organizations, they are mandated by the AICPA and are also, just to name a few,
criteria for ISO 27001, HITRUST CSF and HIPAA compliance. Because of this, security risk assessments can go by
several names, often referred to as a risk assessment, a risk assessment of IT infrastructure, a safety risk audit, or
a safety audit.
Security Risk Assessments are carried out in order to locate risk areas by a security assessor who can analyze all
aspects of the business processes. These may be as basic as a poor password-enabled device, or may be more
complicated problems, such as insecure business processes. The appraiser is going to typically review everything
from HR policies to firewall configurations while working to identify potential risks.
Figure 1: What is risk?
c) How does risk assessment work?
The depth of the risk assessment models is influenced by factors such as scale, growth rate, capital, and asset
portfolio. When facing budget or time constraints, organizations may carry out generalized evaluations.
Generalized evaluation; however, do not generally include comprehensive mapping of properties, related hazards,
defined risks, effects, and control mitigation.
A more in-depth evaluation is required if generalized evaluation results do not provide adequate correlation
between these areas.
Figure 2: IT risk assessment
d) Steps to risk assessment:
There are 5 steps to risk assessment that you have to know:
Just find the details of steps in this RISK ASSESSMENT PROCEDURE (P5) in the third title before the RISK
IDENTIFICATION STEPS
1st step: Identify hazards (Anything that may cause harm)
2nd step: Decide who might be harm and tell how
3rd step: Assess the risks and take actions
4th step: Make a record of the findings
5th step: Review risk assessment
2. Asset and threatidentification procedures:
Figure 3: Asset and threat identification
2.1. Asset and threat:
a) Definition of asset:
An asset is any data, system, or other component of the environment that supports information-related activities
in information protection, computer security, and network security. Hardware (e.g. servers and switches),
software (e.g. mission critical applications and support systems) and sensitive information are usually included in
the properties. Assets should be protected against unauthorized entry, use, disclosure, modification, damage
and/or theft, resulting in the organization's loss.
b) Definition of threat:
A security threat is a possible negative behavior or event facilitated by a weakness in computer security that
resulting in an unintended effect on a computer system or application.
A danger can be either a negative "intentional" event (i.e. hacking: a person cracker or a criminal organization) or
an "accidental" negative event (e.g. the possibility of a computer failure or the possibility of an event of a natural
disaster such as an earthquake, a fire, or a tornado) or a condition, ability, behavior, or event otherwise.
This is distinct from a threat actor who is a person or group that can perform the action of the threat, such as
leveraging a vulnerability to have a negative effect.
2.2. Threat identification procedures:
The method of identifying threats is a way of collecting data on possible threats that can assist management in
identifying information security risks. A systematic methodology that helps an organization to aggregate and
measure possible threats is threat modeling. Institutions should consider using threat modeling to better
understand the existence, frequency, and complexity of threats; determine the institution's vulnerability to
information security; and apply this awareness to the information security program of the institution.
The identification of threats involves the sources of threats, their capabilities, and their objectives. By giving
actions:
Identify and assess threats.
Use threat knowledge to drive risk assessment and response.
Design policies to allow immediate and consequential threats to be dealt with expeditiously.
3. Risk assessment procedure:
Risk assessment procedures are audit procedures carried out in order to gain an understanding of the
organization and its environment, including internal monitoring of the entity, to recognize and determine the risks
of material misrepresentation, whether due to fraud or mistake, at the level of the financial statements and at the
level of the related claim.
The Risk Assessment divides 5 steps:
1st step: Identify the hazards
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
IT Security Risk Assessmentlg...
|13
|2259
|16
Contingency Planning for Information Security and Policy Documents at Denisovan Medical Supplieslg...
|15
|4012
|245
Assessing Security Risks to Organisationlg...
|21
|5004
|59
IT Security in an Organization - Risk Assessment and Disaster Managementlg...
|14
|3006
|309
Disaster Recovery Poster Assignment 2022lg...
|1
|978
|43
Network Security Plan Template- cyber securitylg...
|3
|451
|2880