







































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An in-depth understanding of data protection processes and regulations, focusing on risk assessments. It covers the definition of data protection, the importance of data protection regulations, and the steps involved in risk assessment. The document also discusses the concept of data protection in relation to an organization's availability and management of data.
Typology: Study notes
1 / 47
This page cannot be seen from the preview
Don't miss anything!








































a) Security risk Security risk encompasses the consequences that could arise due to the risks and weaknesses associated with the operation and use of information systems and the environments under which such systems function for an entity and its stakeholders. In terms of the types of effect that may arise from the occurrence of a security-related event, security risk overlaps with many other types of risk. Factors attributed to other risk categories, including strategic, budgetary, program management, investment, political, legal, supply chain, and enforcement risk, also affect it. Financial losses, loss of privacy, reputational damage, legal consequences, and even loss of life are examples of risk. b) Risk assessment A Security Risk Assessment (or SRA) is an assessment that includes defining the risks in your company, your technology, and your processes to verify that security threats are covered by controls in place. Compliance norms, such as PCI-DSS requirements for payment card authentication, usually include security risk assessments. As part of a SOC II audit for service organizations, they are mandated by the AICPA and are also, just to name a few, criteria for ISO 27001, HITRUST CSF and HIPAA compliance. Because of this, security risk assessments can go by several names, often referred to as a risk assessment, a risk assessment of IT infrastructure, a safety risk audit, or a safety audit. Security Risk Assessments are carried out in order to locate risk areas by a security assessor who can analyze all aspects of the business processes. These may be as basic as a poor password-enabled device, or may be more complicated problems, such as insecure business processes. The appraiser is going to typically review everything from HR policies to firewall configurations while working to identify potential risks. Figure 1: What is risk?
2 nd^ step: Decide who might be harm and tell how 3 rd^ step: Assess the risks and take actions 4 th^ step: Make a record of the findings 5 th^ step: Review risk assessment
Figure 3: Asset and threat identification 2.1. Asset and threat: a) Definition of asset: An asset is any data, system, or other component of the environment that supports information-related activities in information protection, computer security, and network security. Hardware (e.g. servers and switches), software (e.g. mission critical applications and support systems) and sensitive information are usually included in
the properties. Assets should be protected against unauthorized entry, use, disclosure, modification, damage and/or theft, resulting in the organization's loss. b) Definition of threat: A security threat is a possible negative behavior or event facilitated by a weakness in computer security that resulting in an unintended effect on a computer system or application. A danger can be either a negative "intentional" event (i.e. hacking: a person cracker or a criminal organization) or an "accidental" negative event (e.g. the possibility of a computer failure or the possibility of an event of a natural disaster such as an earthquake, a fire, or a tornado) or a condition, ability, behavior, or event otherwise. This is distinct from a threat actor who is a person or group that can perform the action of the threat, such as leveraging a vulnerability to have a negative effect. 2.2. Threat identification procedures: The method of identifying threats is a way of collecting data on possible threats that can assist management in identifying information security risks. A systematic methodology that helps an organization to aggregate and measure possible threats is threat modeling. Institutions should consider using threat modeling to better understand the existence, frequency, and complexity of threats; determine the institution's vulnerability to information security; and apply this awareness to the information security program of the institution. The identification of threats involves the sources of threats, their capabilities, and their objectives. By giving actions: Identify and assess threats. Use threat knowledge to drive risk assessment and response. Design policies to allow immediate and consequential threats to be dealt with expeditiously.
Risk assessment procedures are audit procedures carried out in order to gain an understanding of the organization and its environment, including internal monitoring of the entity, to recognize and determine the risks of material misrepresentation, whether due to fraud or mistake, at the level of the financial statements and at the level of the related claim. The Risk Assessment divides 5 steps: 1st step: Identify the hazards