Risk Management Guide for Information Technology Systems (NIST Guide), Study Guides, Projects, Research of Computer Security

Security assigment btec and others

Typology: Study Guides, Projects, Research

2021/2022

Uploaded on 05/17/2022

rahimjonov-muhammadamin
rahimjonov-muhammadamin 🇺🇿

7 documents

1 / 12

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
3 Task
3.1 Risk management procedure for EMC Cyber solutions to safeguard itself and its clients
3.1.1 Risk Assessment
Risk assessment is the process of identifying potential hazards and analyzing what might happen if a
hazard occurs. Business Impact Analysis (BIA) is the process of identifying potential impacts resulting
from the disruption of time-sensitive or critical business processes. (ready.gov, 2021)
3.1.2 Risk Assessment Framework(RAF)
A risk assessment framework (RAF) is an approach to prioritize and communicate the security risks
posed by an information technology organization. The information should be presented in a way that
can be understood by both technical and non-technical personnel. A Look at the RAF provides
organizations with assistance in identifying and detecting lowand high-risk areas in the system that may
be vulnerable to abuse or attack. (techopedia, 2017)
Types of Risk Assessment Framework
1. Risk management guide for information technology systems (NIST guide) from the National Standards
Institute.
2. Operationally Critical Threats, Assets, and Vulnerabilities Assessment (OCTAVE) of the IT Emergency
Preparedness Team.
3. Control Objectives for Information Technology and Related Information Technology (COBIT) of the
Information Systems Audit and Control Association.
3.1.3 5 components of RMF
There are at least five key components to consider when creating a risk management framework. These
include risk identification; measuring and assessing risks; risk reduction; reporting and monitoring of
risks; and risk management.
1. Risk identification
The first step in identifying the risks a company faces is to determine the magnitude of the risks. The
amount of risk is simply a list of all possible risks. Examples include IT risk, operational risk, regulatory
risk, legal risk, political risk, strategic risk, and credit risk. After listing all possible risks, the company can
select the risks it faces and divide it into main risks and non-essential risks. The main risk is the risk the
company must take to achieve results and ensure long-term growth. Non-essential risks are often
unnecessary and can be minimized or completely eliminated.
2. Measuring risk
The risk measurement provides information on the number of specific exposures or exposures in
general and the probability of losses resulting from those exposures. When measuring exposure to a
particular risk, it is important to consider the impact that risk has on the organization's overall risk
profile.
Some risks provide multiple benefits, while others do not. Another important consideration is the ability
to measure exposure. Some risks are easier to measure than others. For example, you can use
observable market prices to measure market risk, but measuring operational risk is considered both an
art and a science.
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Risk Management Guide for Information Technology Systems (NIST Guide) and more Study Guides, Projects, Research Computer Security in PDF only on Docsity!

3 Task 3.1 Risk management procedure for EMC Cyber solutions to safeguard itself and its clients 3.1.1 Risk Assessment Risk assessment is the process of identifying potential hazards and analyzing what might happen if a hazard occurs. Business Impact Analysis (BIA) is the process of identifying potential impacts resulting from the disruption of time-sensitive or critical business processes. (ready.gov, 2021) 3.1.2 Risk Assessment Framework(RAF) A risk assessment framework (RAF) is an approach to prioritize and communicate the security risks posed by an information technology organization. The information should be presented in a way that can be understood by both technical and non-technical personnel. A Look at the RAF provides organizations with assistance in identifying and detecting lowand high-risk areas in the system that may be vulnerable to abuse or attack. (techopedia, 2017) Types of Risk Assessment Framework

  1. Risk management guide for information technology systems (NIST guide) from the National Standards Institute.
  2. Operationally Critical Threats, Assets, and Vulnerabilities Assessment (OCTAVE) of the IT Emergency Preparedness Team.
  3. Control Objectives for Information Technology and Related Information Technology (COBIT) of the Information Systems Audit and Control Association. 3.1.3 5 components of RMF There are at least five key components to consider when creating a risk management framework. These include risk identification; measuring and assessing risks; risk reduction; reporting and monitoring of risks; and risk management.
  4. Risk identification The first step in identifying the risks a company faces is to determine the magnitude of the risks. The amount of risk is simply a list of all possible risks. Examples include IT risk, operational risk, regulatory risk, legal risk, political risk, strategic risk, and credit risk. After listing all possible risks, the company can select the risks it faces and divide it into main risks and non-essential risks. The main risk is the risk the company must take to achieve results and ensure long-term growth. Non-essential risks are often unnecessary and can be minimized or completely eliminated.
  5. Measuring risk The risk measurement provides information on the number of specific exposures or exposures in general and the probability of losses resulting from those exposures. When measuring exposure to a particular risk, it is important to consider the impact that risk has on the organization's overall risk profile. Some risks provide multiple benefits, while others do not. Another important consideration is the ability to measure exposure. Some risks are easier to measure than others. For example, you can use observable market prices to measure market risk, but measuring operational risk is considered both an art and a science.

If there is a small change in risk, the particular risk measure usually has a predictable effect on profit and loss (“P/L”). They can also provide information about the degree of volatility in the P&L. For example, the risk of investing in stocks can be measured as the effect of gains and losses on stocks, such as a 1-unit change in the S&P 500 Index or the standard deviation of a particular stock. Common comprehensive risk measures include value at risk (VaR), return at risk (EaR) and economic capital. In addition to these measures, techniques such as scenario analysis and stress testing can also be used.

  1. Risk reduction Once risks are classified and measured, the company can decide which risks should be eliminated or minimized and how many major risks should be retained. Directly selling assets or liabilities, purchasing insurance, and using derivatives for hedging or diversification purposes, can mitigate risks.
  2. Risk reporting and monitoring It is important to regularly report on specific and comprehensive risk measures to keep the level of risk at an optimal level. Financial institutions that trade daily will generate daily risk reports. Other organizations may require less reporting frequency. A risk report should be sent to risk personnel who have the authority to adjust (or instruct others to adjust) risk exposure.
  3. Management of risks Risk management is the process of ensuring that all employees of the company perform their duties in accordance with the risk management system. Risk management includes defining the roles of all employees, segregation of duties and delegating authority to individuals, committees and boards of directors to approve key risks, risk limits, exceptions and risk reports, and overall oversight. 3.1.4 Importance of Risk Assessment Framework  To conduct a risk assessment, participants (stakeholders, business owners, etc.) must specifically identify information assets and their value to the organization, such as their marketing value or integrity value if personal information is protected.  Stakeholders will be informed about the risks their organizations are exposed to and whether the current measures are sufficient.  Participants within the organization become more aware of risks and learn to defend themselves and avoid actions that could put the organization at greater risk.  Conducting an assessment ensures that an effective and meaningful risk awareness training program is developed for employees, including managers.  An organization can establish risk tolerance standards based on a better knowledge of its assets, security best practices, and legal and regulatory requirements for its industry. (theruntime, 2019) 3.1.5 Procedures of Risk Assessment Responsibilities of Core Team Members Project Manager The responsibilities of the project manager vary from organization to organization. Sometimes, they may even change according to the needs of the project. But throughout the company, most project managers handle some core responsibilities. Risk Officer

3.1.6 Comment on IT Security & Organizational Policy 3.1.6.1 IT Security Audit An IT security audit is a comprehensive study and assessment of your company's information security system. Regular audits can help you identify weaknesses and vulnerabilities in your IT infrastructure, validate security controls, ensure regulatory compliance, and more. (Tierney, 2020) Process of IT Security Audit

  1. Define goals By conducting IT security audits, determine the goals the audit team intends to achieve. Be sure to articulate the business value of each goal so that specific audit goals align with your company’s broader goals. Use this list of questions as a starting point to brainstorm and refine your own list of audit objectives.  Which systems and services do you want to test and evaluate?  Do you want to audit your digital IT infrastructure, physical equipment and facilities, or both?  Is disaster recovery on your watch list? What are the specific risks?  Is an audit necessary to prove compliance with specific regulations?
  2. Plan the audit. Thoughtful and well-organized planning is critical to the success of IT security audits. You need to define the roles and responsibilities of the management team and IT system administrators assigned to perform audit tasks, as well as the process schedule and methods. Identify the data classification, reporting, and tracking tools that the team will use, and any logistical challenges you may encounter, such as taking the team offline for evaluation. Once you have decided on all the details, please record and distribute the plan to ensure that everyone has a common understanding of the process before starting the review.
  3. Perform audit work. The project team should conduct audits in accordance with the plans and methods agreed during the planning stage. This usually involves scanning IT resources (such as file sharing services, database servers, and SaaS applications (such as Office 365)) to assess network security, data access levels, user access permissions, and other system settings. As part of the disaster recovery assessment, it is also recommended to conduct a physical inspection of the data center to see if there are fires, floods, and power surges. In the process, interview employees outside the IT department to assess their knowledge. Safety issues and compliance with company safety requirements. Policies, so any loopholes in your company’s security procedures can be resolved in the future. Be sure to record any findings during the audit.
  4. Report the results. Compile all audit-related documents into a formal report, which can be shared with management stakeholders or regulatory agencies. The report should include a list of security threats and vulnerabilities found on your system, as well as mitigation measures recommended by IT personnel.
  5. Take the necessary actions. Finally, follow the guidelines listed in the audit report. Examples of actions to improve safety may include:  Correct specific security vulnerabilities or weaknesses in accordance with remedial procedures.

 Train employees on safety requirements and safety awareness.  Implement additional advanced methods to handle sensitive data and identify signs of malware and phishing attacks.  Acquire new technologies to strengthen existing systems and regularly monitor your infrastructure for security threats. (Tierney, 2020) Types of IT Security  Network security Network security is used to prevent unauthorized or malicious users from entering your network. This ensures that usability, reliability, and integrity are not compromised. This type of security is required to prevent a hacker from accessing data on the network. It also prevents them from negatively impacting your users' ability to access or use the network. Network security is becoming an increasingly complex challenge as companies expand the number of endpoints and migrate services to the public cloud.  Internet security Internet security includes the protection of information sent and received in browsers, as well as network security using web applications. These protections are designed to monitor incoming Internet traffic for malware and unwanted traffic. This protection can take the form of firewalls, malware and spyware protection.  The last security post Terminal security provides protection at the device level. Devices that can be protected with endpoint security include cell phones, tablets, laptops, and desktop computers. Endpoint security will prevent your devices from accessing malicious networks that could pose a threat to your organization. Advanced malware protection and device management software are examples of endpoint security.  Cloud Security Apps, data, and identities move to the cloud, which means users connect directly to the Internet and are not protected by a traditional security stack. Cloud security can help protect the use of software as a service (SaaS) and public cloud applications. Cloud Access Security Broker (CASB), Secure Internet Gateway (GIS) and Cloud Unified Threat Management (UTM) can be used for cloud security.  Application security Due to application security, applications are specially encrypted at creation time to be as secure as possible to ensure that they are not vulnerable to attacks. This additional layer of security includes assessing the application code and identifying vulnerabilities that may exist in the software. (cisco, 2021) Page 65- 3.1.7 Organizational Policy A policy is a set of general guidelines that describe an organization's plan to address a problem. Policymakers communicate the relationship between the vision and values of an organization and its day-to-day operations. (i-sight, 2021) 3.1.8 Advantages of IT Security Audit

  1. Measure the flow of data in your business. Data is one of the core assets of any organization that needs the highest security controls. IT security auditors regulate the type of information organization have, the flow of data in organization, and who has the right to access that information. All technologies and methods associated with its data protection standards are scrutinized to ensure that data is not lost, stolen, used or corrupted. Otherwise, organization may risk litigation with clients or other affected parties. The audit team can also lay the foundation for any necessary changes or compliance in this area.

them question the misuse of the data and seek remedies. The implementation of this bill is carried out through the Information Commissioner ("Commissioner"). The Act stipulates that any individual or organization in a computer or certain manual data system (or processing such information on a computer) is obliged to comply with the eight data protection principles and notify the commissioner of the processing that will take place. Failure to notify is a criminal offence. However, there are many exemptions from the notification requirements of the Act for individuals and organizations that only use personal data on a limited basis. The commissioner has developed a self-assessment guide to determine whether notification is required. Remedies for misuse of personal data include compensation when individuals suffer damage, correct or destroy inaccurate data, and the right to request a commissioner to review whether they violate the Act. Principles of Data Protection Act (DPA) 1998 Having seen the changes from the DPA in 1998 to the legislation in 2018, it is worth noting that the following seven principles are intended to form the basis for organizations to establish all data protection practices. The year is 2020, and all organizations that process personal data must understand and comply with these increasingly common data protection principles.

  1. Legal, honest and transparent In addition to continuing with the data protection standards / principles of legality and fairness, this new standard also aims to allow users to understand the contents of the record when transferring personal data. This principle requires organizations to use “clear, clear and precise” language for content agreed by stakeholders, helping to ensure data rights and legal protection.
  2. Restrictions of use This principle states that personal data collected for specific, previously established and understandable purposes should not be used for other applications. While the GDPR states that this purpose limitation principle does not conflict with processing based on public interest, scientific or statistical purposes or historical research, it limits the scope of an organization's "multipurpose" personal data.
  3. Data minimization To ensure that the amount or amount of data collected and / or processed is sufficient, current and limited for its intended purpose, the principle of data minimization is to restrict any organization from accumulating data effectively without clear reasons.
  4. Precision This is not a very important step forward in data protection, and it appeared in DPA 1998. This principle makes organizations responsible for updating or removing inaccurate information.
  5. Storage limit As with the 'retention' principle above, retention restrictions prevent organizations from storing data indefinitely or beyond its intended purpose. Likewise, organizations may retain personal data for the public interest, archival, scientific or historical research or for statistical purposes, but these reasons must be reasonable and documented.
  6. Honesty and confidentiality Formerly known as the "security" principle, the integrity and confidentiality of personal data must be maintained with appropriate security measures. As with many other principles, implementing physical and technical controls to ensure compliance is an inherent responsibility.
  7. Responsibility

Since there was no prior principle in DPA 1998, the liability principle requires organizations to be held accountable for the personal data they process and their compliance with six other principles. Appropriate records and actions must be taken to confirm compliance. (hutsix, 2021) 3.2.1.2 Data Protection Act 2018 The current version of the Data Protection Act was introduced in May

  1. One of the main features of DPA 2018 was the incorporation of the standards set out in the GDPR into UK law. However, DPA 2018 also introduced some additional changes that were not covered by the GDPR, mainly in areas over which the EU has no authority (such as immigration and security). (sumup,

Principles of Data Protection Act 2018

  1. Legal, fair and transparent processing This principle emphasizes transparency about how and why data is collected. You must indicate the legal basis in accordance with the GDPR (there are six of them) for the collection and use of personal data. You must ensure that you do not violate other laws during processing. Personal data must be used fairly with people, and you must be honest and open about the use of their data.
  2. Goal limitation This principle emphasizes the need for organizations to have a clear understanding of their processing objectives from the outset. You need to clearly understand what your processing purposes are and they should be recorded as part of your documentation obligations (liability principle). You can no longer collect unnecessary information, you must have a goal. If a new processing purpose arises, this data can only be used if it is compatible with the original, if you have obtained consent or if it has a clear basis in law.
  3. Data minimization This principle emphasizes the need for organizations to minimize the data they collect. All data collected must have a specific purpose. This principle is designed with today's digital landscape in mind, in which almost all imaginable data can be collected in one way or another. To be GDPR compliant, organizations only need to store the minimum amount of data they need. We must ensure that the personal data you process:  Enough to adequately achieve the set goal  Relevant: contains a link / refers to this target  Limited to what is needed: you have no more than what is needed for this purpose.
  4. Accurate and timely processing This principle requires dispatchers to ensure that the information they hold is accurate, upto-date and up-to-date. Its use is only permitted if it remains accurate and up-to-date. You must take all reasonable steps to ensure that your personal information is in no way incorrect or misleading. If you find that personal information is incorrect or misleading, you should take all reasonable steps to correct or delete it as soon as possible.
  5. Storage limitation This principle emphasizes the need for organizations not to store data more than is necessary. Personal data is stored in a form that allows the identification of data subjects for a period not exceeding that necessary for the purposes for which the personal data is processed. Even if you collect and use it legally, you can't keep it longer than you really need to. The GDPR does not set specific time limits for

Principles of Personal data protection act 2012 The PDPA imposes the following data protection obligations on organizations in relation to their data operations:

  1. Obligation to Consent An organization must obtain an individual's consent before collecting, using, or disclosing their personal data for specific purposes (Section 13-17 of the PDPA). Purpose Limitation Obligation: An entity may collect, use, or disclose personal data only for purposes that a reasonable person deems appropriate in the circumstances (Section 18 of the PDPA).
  2. Obligation to Notify An entity must notify an individual of the purposes for which it intends to collect, use or disclose their personal data during or prior to such collection, use or disclosure, and may collect, use and disclose personal data only for such purposes (Sections 18 and 20 PDPA). Obligation to Access and Correct: The organization must, upon request, allow a person to access and / or rectify their personal data in their possession or control. In addition, the organization is required to provide an individual with information on how personal data may have been used or disclosed during the last year (sections 21 and 22 of the Personal Data Protection Act).
  3. Commitment to Accuracy An organization must use reasonable efforts to ensure the accuracy and completeness of the personal data it collects if it can use such personal data to make decisions that affect the person concerned, or to disclose such personal data to another organization. (Section 23 PDPA).
  4. Obligation to protect An organization must protect personal data in its possession or control by adopting reasonable security measures to prevent (a) unauthorized access, collection, use, disclosure, copying, modification, deletion or similar risks and (b) loss of any medium or device on which personal data is stored (section 24 of the Personal Data Protection Act). Obligation to Restrict Retention: An entity should cease withholding documents containing personal data, or remove the means by which personal data can be associated with specific individuals, as soon as it is reasonable to assume that the storage of such personal data no longer serves a purpose. For which it was collected and is no longer required for legal or business purposes (Section 25 of the Personal Data Protection and Human Rights Act).
  5. Restriction of Transfer Obligation An entity must not transfer personal data to a country or territory outside of Singapore, except as required by the PDPA to ensure that the transferred personal data is provided with a protection standard comparable to the PDPA standard (Section 26 of the PDPA)
  6. Accountability Commitment An organization must appoint a PDPA Compliance Officer, commonly referred to as a Data Protection Officer (DPO), and develop and implement the policies and practices necessary to fulfill your obligations. in accordance with PDPA, including a complaint process. In addition, the organization is required to communicate these policies and practices to its staff and to provide information to those requesting it about these policies and practices (Sections 11 and 12 of the PDPA).
  7. Obligation to report data breaches An organization must assess data breaches that have occurred with respect to personal data in its possession or control and must notify PDPC as well as those affected when certain data breaches (reported data breaches) occur (Sections 26A - 26E PDPA). (dataguidance,

3.2.4 ISO 31000 Risk Management Methodology The long-term success of an organization depends on many factors, from continually evaluating and updating the proposal to optimizing processes. As if that were not enough, they must also take into account contingencies when managing risk. That is why we developed ISO 31000 for risk management. In addition to ensuring business continuity, ISO 31000 provides a level of confidence in terms of economic sustainability, professional reputation, environmental performance, and safety. In a world of uncertainty, ISO 31000 is designed for any organization that wants clear guidance on risk management. (iso, 2021) How can organizations become ISO 31000 certified ISO 31000 "Risk management - Guiding principles" contains the principles, structure and process of risk management. Any organization can use it, regardless of its size, activity or department. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources to address risks. However, ISO 31000 cannot be used for certification purposes, but rather to provide guidance for internal or external audit programs. Organizations that use it can benchmark their risk management practices against internationally recognized benchmarks to ensure that sound governance and corporate governance principles are reasonable. (iso, 2021) ISO 31000 Risk Management Process

  1. Identifying Risks Identifying what might prevent us from achieving our goals.
  2. Risk analysis Understanding the sources and causes of the identified risks, Examine the possibilities and consequences, taking into account existing controls, to determine the level of remaining risk.
  3. Risk Assessment Compare the results of the risk analysis with the risk criteria to determine whether residual risk is acceptable.
  4. Risk processing Changing the magnitude and probability of both positive and negative outcomes to achieve a net increase in profits.
  5. Create context Not included in previous definitions of the risk management process, this activity consists of defining the scope of the risk management process, defining the organization's objectives, and establishing risk assessment criteria. Context includes both external elements (regulatory environment, market conditions, and stakeholder expectations) and internal elements (management, culture, organizational norms and rules, opportunities, existing contracts, employee expectations, information systems, etc.).
  6. Monitoring and Review This task is to measure the effectiveness of risk management against indicators, which are reviewed periodically to verify their suitability. It includes checking for deviations from the risk management plan, checking that the structure, policy and plan for risk management is appropriate considering the internal and external context of the organization, reporting risks, progress in the risk management plan, managing risk and risk management. How well the risk management policy is. The effectiveness of the risk management system is monitored and analyzed.