COURSE TITLE: COLSF 322 Computer Security, Risk Management and Control C.

F:
3.0

Pre-requisites: COSF 313: Protocols and Systems for Internet and Web Security

Purpose of the course:

The aim of this course is help the learner understand the fundamentals of IT security risk
management and control. Explore the threats and risks present in organizations due to the
pervasive use of technology. Concepts of risk evaluation techniques identify security and control
techniques. The course aims to give an overview of computer security and how it impacts
today’s business. The key areas impacted will be identified along with the key threats. The areas
of computer security will be covered include: Information Security and Risk management,
Access Control, Physical Security, Security Architecture and Design, Application Security,
Operations Security, Legal, Regulations, Compliance and Investigations

Expected Learning outcomes:

After successfully completing this course, students should be able to
1. Understand various foundational concepts in computer security, risk management and
control.
2. Demonstrate practical skills in undertaking a security audit for computer installations.
3. Identify various types of attacks on information systems
4. Design workable information security solutions to minimize risks within computer
installations.
5. Undertake a risk management exercise for computer installations.
6. Discuss the meaning of risk management and its importance to information system
security

week Topic/s to be covered

1 Fundamentals of IT security risk management

and control

2 Explore the threats and risks present in

organizations due to the pervasive use of
technology

3 Concepts of risk evaluation techniques:

Identify security and control techniques used
to minimizing threats and risk to the
organization’s network infrastructure

4 Selected topics: computer and information

security, threat techniques, protective
 techniques

5 Cat 1

6 contingency planning and incidence response

plan, password techniques

7 risk analysis,& security audit

8 Case studies: latest risk associated with cyber-

attacks and cyber-crime activities

9 Botnet activities & threat

10 Cat2

11 Presentation : research on network cyber-

activities
12

13
Teaching and learning Strategy:

Lectures, Presentations by members of the class, Case discussions, Tutorials, Assignments,

Continuous assessment tests,Lab Practical, Library, appropriate software, manual/notes

Teaching and learning Strategy:

Contact time: 45 hours based on: 3 hours a week during the course of a semester
Weekly Organization:
Lectures: 2 hours
Practical: 3 hours

Instructional Materials/Equipment:
Computer laboratory practical, Course text, Handouts, White board, Presentation slides, Journals
Arrangements for revision and private study:
All sessions will be supported electronically. Lab technicians/Lecturers will operate an
appointment system for student consultations.

Assessment Strategy:
Continuous Assessment Tests: 20%
Assignments 10%
Total Course work 30%
End-of-semester examination 70%
Total 100%

Texts Books and References:

1. Risk Management Framework: A Lab-Based Approach to Securing Information Systems
by James Broad (Aug 5,2013) ISBN-10: 1597499951 | ISBN-13: 978-1597499958 |
Edition: 1
2. Risks, Controls, and Security : Concepts and Applications by Vasant Raval and Ashok
Fichadia (Jan 9, 2007)ISBN-10: 0471485799 ISBN-13: 978-0471485797
3. Conflict Management for Security Professionals by Andrew A. Tufano (Nov 6, 2013)
ISBN-10: 0124171966 |ISBN-13: 978-0124171961 | Edition: 1
4. The Basics of Information Security: Understanding the Fundamentals of InfoSec in
Theory and Practice by JasonAndress (Jun 24, 2011) ISBN-10: 1597496537 | ISBN-13:
978-1597496537 | Edition: 1
5. Management of Information Security by Michael E. Whitman and Herbert J. Mattord
(Jan 19, 2010) ISBN-10:1435488849 | ISBN-13: 978-1435488847 | Edition: 3

Journals

1. Lee, W., & Fan, W. (2001). Mining system audit data: opportunities and
challenges. ACM SIGMOD Record, 30(4), 35-44.
Smaha, S. E. (1988, December). Haystack: An intrusion detection system. In Aerospace
Computer Security Applications Conference, 1988., Fourth (pp. 37-44). IEEE.
Information Security Risk Management

Information security risk management, or ISRM, is the process of managing risks associated
with the use of information technology. It involves identifying, assessing, and treating risks
to the confidentiality, integrity, and availability of an organization’s assets.

The end goal of this process is to treat risks in accordance with an organization’s overall
risk tolerance. Businesses shouldn’t expect to eliminate all risks; rather, they should seek to
identify and achieve an acceptable risk level for their organization.

Stages of Information security risk management

1) Identification

Identify assets: What data, systems, or other assets would be considered your
organization’s For example, which assets would have the most significant impact on your
organization if their confidentiality, integrity or availability were compromised? It’s not
hard to see why the confidentiality of data like social security numbers and intellectual
property is important. But what about integrity?

Identify vulnerabilities: What system-level or software vulnerabilities are putting the

confidentiality, integrity, and availability of the assets at risk? What weaknesses or
deficiencies in organizational processes could result in information being compromised?

Identify threats: What are some of the potential causes of assets or information becoming
compromised? For example, is your organization’s data center located in a region where
environmental threats, like floods, Are industry peers being actively targeted and hacked by
a known crime syndicate group, or government-sponsored entity? Threat modeling is an
important activity that helps add context by tying risks to known threats and the different
ways those threats can cause risks to become realized via exploiting vulnerabilities.

Identify controls: What do you already have in place to protect identified assets? A control
directly addresses an identified vulnerability or threat by either completely fixing it
(remediation) or lessening the likelihood and/or impact of a risk being realized (mitigation).
For example, if you’ve identified a risk of terminated users continuing to have access to a
specific application, then a control could be a process that automatically removes users from
that application upon their termination.

2) Protection – Asset Management

Once you have an awareness of your security risks, you can take steps to safeguard those assets.

This includes a variety of processes, from implementing security policies to installing

sophisticated software that provides advanced data risk management capabilities.

• Security awareness training of employees in the proper handling of confidential

information.
• Implement access controls so that only those who genuinely need information have
access.
• Define security controls required to minimize exposure from security incidents.
• For each identified risk, establish the corresponding business “owner” to obtain buy-in
for proposed controls and risk tolerance.
• Create an information security officer position with a centralized focus on data security
risk assessment and risk mitigation.

3. Implementation

Your implementation stage includes the adoption of formal policies and data security controls.

These controls will encompass a variety of approaches to data management risks:

• Review of identified security threats and existing controls

• Creation of new controls for threat detection and containment
• Select network security tools for analysis of actual and attempted threats
• Install and implement technology for alerts and capturing unauthorized access

4)Security Control Assessment

Both existing and new security controls adopted by your business should undergo regular
scrutiny.

• Validate that alerts are routed to the right resources for immediate action.
• Ensure that as applications are added or updated, there is a continuous data risk analysis.
• Network security measures should be tested regularly for effectiveness. If your
organization includes audit functions, have controls been reviewed and approved?
• Have data business owners (stakeholders) been interviewed to ensure risk management
solutions are acceptable? Are they appropriate for the associated vulnerability?

Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value ) - security
controls

5. Information Security System Authorizations

Now that you have a comprehensive view of your critical data, defined the threats, and
established controls for your security management process, how do you ensure its effectiveness?

The authorization stage will help you make this determination:

• Are the right individuals notified of on-going threats? Is this done promptly?
• Review the alerts generated by your controls – emails, documents, graphs, etc. Who is
tracking response to warnings?

This authorization stage must examine not only who is informed, but what actions are taken, and
how quickly. When your data is at risk, the reaction time is essential to minimize data theft or
loss.

6) Treatment

Once a risk has been assessed and analyzed, an organization will need to select treatment
options:
Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.

Example: You have identified a vulnerability on a server where critical assets are stored,
and you apply a patch for that vulnerability.

Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.

Example: You have identified a vulnerability on a server where critical assets are stored, but
instead of patching the vulnerability, you implement a firewall rule that only allows specific
systems to communicate with the vulnerable service on the server.

Transference: Transferring the risk to another entity so your organization can recover from
incurred costs of the risk being realized.

Example: You purchase insurance that will cover any losses that would be incurred if
vulnerable systems are exploited. (Note: this should be used to supplement risk remediation
and mitigation but not replace them altogether.)

Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly
low and the time and effort it takes to fix the risk costs more than the costs that would be
incurred if the risk were to be realized.

Example: You have identified a vulnerability on a server but concluded that there is nothing
sensitive on that server; it cannot be used as an entry point to access other critical assets,
and a successful exploit of the vulnerability is very complex. As a result, you decide you do
not need to spend time and resources to fix the vulnerability.

Risk avoidance: Removing all exposure to an identified risk

Example: You have identified servers with operating systems (OS) that are about to reach
end-of-life and will no longer receive security patches from the OS creator. These servers
process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data
being compromised, you quickly migrate that sensitive data to newer, patchable servers. The
servers continue to run and process non-sensitive data while a plan is developed to
decommission them and migrate non-sensitive data to other servers.

7. Risk Monitoring

Adopting an information risk management framework is critical to providing a secure

environment for your technical assets.

Implementing a sophisticated software-driven system of controls and alert management is an

effective part of a risk treatment plan.

Continuous monitoring and analysis are critical. Cyber thieves develop new methods of attacking
your network and data warehouses daily. To keep pace with this onslaught of activity, you must
revisit your reporting, alerts, and metrics regularly.

Communication

Regardless of how a risk is treated, the decision needs to be communicated within the
organization. Stakeholders need to understand the costs of treating or not treating a risk and
the rationale behind that decision. Responsibility and accountability needs to be clearly
defined and associated with individuals and teams in the organization to ensure the right
people are engaged at the right times in the process.

Create an Effective Security Risk Management Program

Defeating cybercriminals and halting internal threats is a challenging process. Bringing data
integrity and availability to your enterprise risk management is essential to your employees,
customers, and shareholders.

Creating your risk management process and take strategic steps to make data security a
fundamental part of conducting business.

Best practices include:

Create an Effective Security Risk Management Program

Defeating cybercriminals and halting internal threats is a challenging process. Bringing data
integrity and availability to your enterprise risk management is essential to your employees,
customers, and shareholders.

Creating your risk management process and take strategic steps to make data security a
fundamental part of conducting business.

In summary, best practices include:

1) Implement technology solutions to detect and eradicate threats before data is

compromised.
2) Establish a security office with accountability.
3) Ensure compliance with security policies.
4) Make data analysis a collaborative effort between IT and business stakeholders.
5) Ensure alerts and reporting are meaningful and effectively routed.
6) Conducting a complete IT security assessment and managing enterprise risk is essential
to identify vulnerability issues.
7) Develop a comprehensive approach to information security and reporting are meaningful
and effectively routed.
8) Conducting a complete IT security assessment and managing enterprise risk is essential
to identify vulnerability issues.
9) Develop a comprehensive approach to information security.

THREATS AND RISKS

A security threat is a malicious act that aims to corrupt or steal data or disrupt an organization's
systems or the entire organization. A security event refers to an occurrence during which
company data or its network may have been exposed. And an event that results in a data or
network breach is called a security incident.

As cyber security threats continue to evolve and become more sophisticated, enterprise IT must
remain vigilant when it comes to protecting their data and networks. To do that, they first have to
understand the types of security threats they're up against.
Below are the top 10 types of information security threats that IT teams need to know about.

1. Insider threats

An insider threat occurs when individuals close to an organization who have authorized access to
its network intentionally or unintentionally misuse that access to negatively affect the
organization's critical data or systems.

Careless employees who don't comply with their organizations' business rules and policies cause
insider threats. For example, they may inadvertently email customer data to external parties,
click on phishing links in emails or share their login information with others. Contractors,
business partners and third-party vendors are the source of other insider threats.

Preventing insider threats

The list of things organizations can do to minimize the risks associated with insider
threats include the following:

• limit employees' access to only the specific resources they need to do their jobs;

• train new employees and contractors on security awareness before allowing them to access
the network. Incorporate information about unintentional and malicious insider threat
awareness into regular security training;

• set up contractors and other freelancers with temporary accounts that expire on specific
dates, such as the dates their contracts end;

• implement two-factor authentication, which requires each user to provide a second piece of
identifying information in addition to a password; and

• install employee monitoring software to help reduce the risk of data breaches and the theft of
intellectual property by identifying careless, disgruntled or malicious insiders.

2. Viruses and worms

Viruses and worms are malicious software programs (malware) aimed at destroying an
organization's systems, data and network. A computer virus is a malicious code that replicates by
copying itself to another program, system or host file. It remains dormant until someone
knowingly or inadvertently activates it, spreading the infection without the knowledge or
permission of a user or system administration.

A computer worm is a self-replicating program that doesn't have to copy itself to a host program
or require human interaction to spread. Its main function is to infect other computers while
remaining active on the infected system. Worms often spread using parts of an operating system
that are automatic and invisible to the user. Once a worm enters a system, it immediately starts
replicating itself, infecting computers and networks that aren't adequately protected.

Preventing viruses and worms

To reduce the risk of these types of information security threats caused by viruses or worms,
companies should install antivirus and antimalware software on all their systems and networked
devices and keep that software up to date. In addition, organizations must train users not to
download attachments or click on links in emails from unknown senders and to avoid
downloading free software from untrusted websites. Users should also be very cautious when
they use P2P file sharing services and they shouldn't click on ads, particularly ads from
unfamiliar brands and websites.

3. Botnets

A botnet is a collection of Internet-connected devices, including PCs, mobile devices, servers

and IoT devices that are infected and remotely controlled by a common type of malware.
Typically, the botnet malware searches for vulnerable devices across the internet. The goal of the
threat actor creating a botnet is to infect as many connected devices as possible, using the
computing power and resources of those devices for automated tasks that generally remain
hidden to the users of the devices. The threat actors -- often cybercriminals -- that control these
botnets use them to send email spam, engage in click fraud campaigns and generate malicious
traffic for distributed denial-of-service attacks.
Preventing botnets

Organizations have several ways to prevent botnet infections:

• monitor network performance and activity to detect any irregular network behavior;

• keep the operating system up to date;

• keep all software up-to-date and install any necessary security patches;

• educate users not to engage in any activity that puts them at risk of bot infections or other
malware, including opening emails or messages, downloading attachments or clicking links
from unfamiliar sources; and

• implement antibotnet tools that find and block bot viruses. In addition, most firewalls and
antivirus software include basic tools to detect, prevent and remove botnets.

4. Drive-by download attacks

In a drive-by download attack, malicious code is downloaded from a website via a browser,
application or integrated operating system without a user's permission or knowledge. A user
doesn't have to click on anything to activate the download. Just accessing or browsing a website
can start a download. Cybercriminals can use drive-by downloads to inject banking Trojans, steal
and collect personal information as well as introduce exploit kits or other malware to endpoints.

Preventing drive-by download attacks

One of the best ways a company can prevent drive-by download attacks is to regularly update
and patch systems with the latest versions of software, applications, browsers, and operating
systems. Users should also be warned to stay away from insecure websites. Installing security
software that actively scans websites can help protect endpoints from drive-by downloads.

5. Phishing attacks

Phishing attacks are a type of information security threat that employs social engineering to trick
users into breaking normal security practices and giving up confidential information, including
names, addresses, login credentials, Social Security numbers, credit card information and other
financial information. In most cases, hackers send out fake emails that look as if they're coming
from legitimate sources, such as financial institutions, eBay, PayPal -- and even friends and
colleagues.

In phishing attacks, hackers attempt to get users to take some recommended action, such as
clicking on links in emails that take them to fraudulent websites that ask for personal information
or install malware on their devices. Opening attachments in emails can also install malware on
users' devices that are designed to harvest sensitive information, send out emails to their contacts
or provide remote access to their devices.

Preventing phishing attacks

Enterprises should train users not to download attachments or click on links in emails from
unknown senders and avoid downloading free software from untrusted websites.

6. Distributed denial-of-service (DDoS) attacks

In a distributed denial-of-service (DDoS) attack, multiple compromised machines attack a target,

such as a server, website or other network resource, making the target totally inoperable. The
flood of connection requests, incoming messages or malformed packets forces the target system
to slow down or to crash and shut down, denying service to legitimate users or systems.

Preventing DDoS attacks

To help prevent DDoS attacks, companies should take these steps:

• Implement technology to monitor networks visually and know how much bandwidth a site
uses on average. DDoS attacks offer visual clues so administrators who understand the
normal behaviors of their networks will be better able to catch these attacks.

• Ensure servers have the capacity to handle heavy traffic spikes and the necessary mitigation
tools necessary to address security problems.
• Update and patch firewalls and network security programs.

• Set up protocols outlining the steps to take in the event of a DDoS attack occurring.

7. Ransomware

In a ransomware attack, the victim's computer is locked, typically by encryption, which keeps the
victim from using the device or data that's stored on it. To regain access to the device or data, the
victim has to pay the hacker a ransom, typically in a virtual currency such as Bitcoin.
Ransomware can be spread via malicious email attachments, infected software apps, infected
external storage devices and compromised websites.

Preventing ransomware

To protect against ransomware attacks, users should regularly back up their computing devices
and update all software, including antivirus software. Users should avoid clicking on links in
emails or opening email attachments from unknown sources. Victims should do everything
possible to avoid paying ransom. Organizations should also couple a traditional firewall that
blocks unauthorized access to computers or networks with a program that filters web content and
focuses on sites that may introduce malware. In addition, limit the data a cybercriminal can
access by segregating the network into distinct zones, each of which requires different
credentials.

8. Exploit kits

An exploit kit is a programming tool that enables a person without any experience writing
software code to create, customize and distribute malware. Exploit kits are known by a variety of
names, including infection kit, crimeware kit, DIY attack kit and malware toolkit. Cybercriminals
use these toolkits to attack system vulnerabilities to distribute malware or engage in other
malicious activities, such as stealing corporate data, launching denial of service attacks or
building botnets.

Preventing exploit kits

To guard against exploit kits, an organization should deploy antimalware software as well as a
security program that continually evaluates if its security controls are effective and provide
protection against attacks. Enterprises should also install antiphishing tools because many exploit
kits use phishing or compromised websites to penetrate the network.

9. Advanced persistent threat attacks

An advanced persistent threat (APT) is a targeted cyberattack in which an unauthorized intruder

penetrates a network and remains undetected for an extended period of time. Rather than causing
damage to a system or network, the goal of an APT attack is to monitor network activity and
steal information to gain access, including exploit kits and malware. Cybercriminals typically use
APT attacks to target high-value targets, such as large enterprises and nation-states, stealing data
over a long period.

Preventing APT attacks

Detecting anomalies in outbound data may be the best way for system administrators to
determine if their networks have been targeted.

Indicators of APTs include the following:

• unusual activity on user accounts;

• extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain
access;

• odd database activity, such as a sudden increase in database operations involving massive
amounts of data; and

• the presence of unusual data files, possibly indicating that data that has been bundled into
files to assist in the exfiltration process.

To combat this type of information security threat, an organization should also deploy a
software, hardware or cloud firewall to guard against APT attacks. Organizations can also use
a web application firewall to detect and prevent attacks coming from web applications by
inspecting HTTP traffic.

10. Malvertising

Malvertising is a technique cybercriminals use to inject malicious code into legitimate online
advertising networks and web pages. This code typically redirects users to malicious websites or
installs malware on their computers or mobile devices. Users' machines may get infected even if
they don't click on anything to start the download. Cybercriminals may use malvertising to
deploy a variety of moneymaking malware, including cryptomining scripts, ransomware and
banking Trojans.

Some of the websites of well-known companies, including Spotify, The New York Times and
the London Stock Exchange, have inadvertently displayed malicious ads, putting users at risk.

Preventing malvertising

To prevent malvertising, ad networks should add validation; this reduces the chances a user
could be compromised. Validation could include: Vetting prospective customers by requiring
legal business paperwork; two-factor authentication; scanning potential ads for malicious content
before publishing an ad; or possibly converting Flash ads to animated gifs or other types of
content.

To mitigate malvertising attacks, web hosts should periodically check their websites from an
unpatched system and monitor that system to detect any malicious activity. The web hosts should
disable any malicious ads.

To reduce the risk of malvertising attacks, enterprise security teams should be sure to keep
software and patches up to date as well as install network antimalware tools.
Information Technology risk

Information technology or IT risk is basically any threat to your business data, critical systems
and business processes. It is the risk associated with the use, ownership, operation, involvement,
influence and adoption of IT within an organisation. IT risks have the potential to damage
business value and often come from poor management of processes and events.

Categories of IT risks
IT risk spans a range of business-critical areas, such as:

• security - compromised business data due to unauthorised access or use

• availability - inability to access your IT systems needed for business operations
• performance - reduced productivity due to slow or delayed access to IT systems
• compliance - failure to follow laws and regulations (eg data protection)
IT risks vary in range and nature. It's important to be aware of all the different types of IT
risk potentially affecting your business.

Potential impact of IT failure on business

For businesses that rely on technology, events or incidents that compromise IT can cause many
problems. For example, a security breach can lead to:

• identity fraud and theft

• financial fraud or theft
• damage to reputation
• damage to brand
• damage to your business' physical assets
Failure of IT systems due to downtime or outages can result in other damaging and diverse
consequences, such as:

• lost sales and customers

• reduced staff or business productivity
• reduced customer loyalty and satisfaction
• a damaged relationship with partners and suppliers
If IT failure affects your ability to comply with laws and regulations, then it could also lead to:

• breach of legal duties

• breach of client confidentiality
• penalties, fines and litigation
 • reputational damage
If technology is enabling your connection to customers, suppliers, partners and business
information, managing IT risks in your business should always be a core concern.

In its guidance, the National Cyber Security Centre (NCSC) provides a clear explanation of why
IT risk management matters.

IT risks should be carefully assessed and measured. This is where an IT risk assessment comes
in - a process of identifying security risks and evaluating the threat they pose. Once risks are
identified and assessed, you will manage them through a comprehensive IT risk management
process.

Types of risks in IT systems

Threats to your IT systems can be external, internal, deliberate and unintentional. Most IT risks
affect one or more of the following:

• business or project goals

• service continuity
• bottom-line results
• business reputation
• security
• infrastructure
Examples of IT risks
Looking at the nature of risks, it is possible to differentiate between:

• Physical threats - resulting from physical access or damage to IT resources such as the
servers. These could include theft, damage from fire or flood, or unauthorised access to
confidential data by an employee or outsider.
• Electronic threats - aiming to compromise your business information - eg a hacker
could get access to your website, your IT system could become infected by a computer
virus, or you could fall victim to a fraudulent email or website. These are often of a
criminal nature.
• Technical failures - such as software bugs, a computer crash or the complete failure of a
computer component. A technical failure can be catastrophic if, for example, you cannot
retrieve data on a failed hard drive and no backup copy is available.
• Infrastructure failures - such as the loss of your internet connection can interrupt your
business - eg you could miss an important purchase order.
• Human error - is a major threat - eg someone might accidentally delete important data, or
fail to follow security procedures properly.
How to manage IT risks
Managing various types of IT risks begins with identifying exactly:

• the type of threats affecting your business

• the assets that may be at risks
• the ways of securing your IT systems
Find out how to carry out an IT risk assessment and learn more about the IT risk management
process.

IT risk assessment methodology

IT risk assessment is a process of analysing potential threats and vulnerabilities to your IT

systems to establish what loss you might expect to incur if certain events happen. Its objective is
to help you achieve optimal security at a reasonable cost.

There are two prevailing methodologies for assessing the different types of IT risk: quantitative
and qualitative risk analysis.

Quantitative IT risk assessment

Quantitative assessment measures risk using monetary amounts. It uses mathematical formulas to
give you the value of expected losses associated with a particular risk, based on:

• the asset value

• the frequency of risk occurrence
• the probability of associated loss
In an example of server failure, a quantitative assessment would involve looking at:

• the cost of a server or the revenue it generates

• how often does the server crash
• the estimated loss incurred each time it crashed
From these values, you can work out several key calculations:

• single loss expectancy - costs you would incur if the incident occurs once
• annual rate of occurrence - how many times a year you can expect this risk to occur
• annual loss expectancy - the total risk value over the course of a year
Find a formula to calculate annualised loss expectancy.

These monetary results could help you avoid spending too much time and money on reducing
negligible risks. For example, if a threat is unlikely to happen or costs little or nothing to remedy,
it probably presents a low risk to your business.
However, if a threat to your key IT systems is likely to happen, and could be expensive to fix or
likely to affect your business adversely, you should consider it high risk.

You may want to use this risk information to carry out a cost/benefit analysis to determine what
level of investment would make risk treatment worthwhile.

Qualitative IT risk assessment

Qualitative risk assessment is opinion-based. It relies on judgment to categorise risks based on
probability and impact and uses a rating scale to describe the risks as:

• low - unlikely to occur or impact your business

• medium - possible to occur and impact
• high - likely to occur and impact your business significantly
For example, you might classify as 'high probability' something that you expect to happen
several times a year. You do the same for cost/impact in whatever terms seem useful, for
example:

• low - would lose up to half an hour of production

• medium - would cause complete shutdown for at least three days
• high - would cause irrevocable loss to the business
With your ratings determined, you can then create a risk assessment matrix& RISK
REGISTER to help you categorise the risk level for each risk event. This can, ultimately, help
you decide which risks to mitigate using controls, and which to accept or transfer.

TASK

WHAT IS SECURITY AUDIT , EXPLAIN TECHIQUES USED IN SECURITY AUDIT

IT risk management process

In business, IT risk management entails a process of identifying, monitoring and managing

potential information security or technology risks with the goal of mitigating or minimising their
negative impact.

Examples of potential IT risks include security breaches, data loss or theft, cyber attacks, system
failures and natural disasters. Anything that could affect the confidentiality, integrity and
availability of your systems and assets could be considered an IT risk.

Steps in the IT risk management process

To manage IT risks effectively, follow these six steps in your risk management process:

1. Identify risks
Determine the nature of risks and how they relate to your business. Take a look at the different
types of IT risk.

2. Assess risks
Determine how serious each risk is to your business and prioritise them. Carry out an IT risk
assessment.

3. Mitigate risks
Put in place preventive measures to reduce the likelihood of the risk occurring and limit its
impact. Find solutions in our IT risk management checklist.

4. Develop an incident response

Set out plans for managing a problem and recovering your operations. Devise and test your IT
incident response and recovery strategy.

5. Develop contingency plans

Ensure that your business can continue to run after an incident or a crisis. Read about IT risk
and business continuity.

6. Review processes and procedures

Continue to assess threats and manage new risks. Read more about the strategies to manage
business risk.

IT risk controls
As part of your risk management, try to reduce the likelihood of risks affecting your business in
the first place. Put in place measures to protect your systems and data from all known threats.

For example, you should:

• Review the information you hold and share. Make sure that you comply with data
protection legislation, and think about what needs to be on public or shared systems.
Where possible, remove sensitive information.
• Install and maintain security controls, such as firewalls, anti-virus software and processes
that help prevent intrusion and protect your business online.
• Implement security policies and procedures such as internet and email usage policies, and
train staff.
• Use a third-party IT provider if you lack in-house skills. Often, they can provide their
own security expertise. See how to choose an IT supplier for your business.
If you can't remove or reduce risks to an acceptable level, you may be able to take action to
lessen the impact of potential incidents.
Mitigate IT risks
To mitigate IT risks, you should consider:

• setting procedures for detecting problems (eg a virus infecting your system), possibly
with the help of cyber security breach detection tools
• getting cyber insurance against the costs of security breaches

also refer https://www.businesstechweekly.com/cybersecurity/risk-management/it-

risk/

RISK MANAGEMENT FRAMEWORK

The Risk Management Framework is a template and guideline used by companies to identify,
eliminate and minimize risks

Risk management principles

1. Ensure risks are identified early

This is probably the most important principle of risk management – make sure you’re ahead of
the game by completing your risk assessment before the project commences.

Identify the cause of a potential risk and design preventative measures and a response if it was to
occur. After risks have been identified and sourced, risk needs to be measured.

2. Factor in organizational goals and objectives

Ensure your risk management plan ties in with your organization’s overall goals and objectives.
If a risk that you have flagged, does end up occurring how will it impact the organization,
financially and reputation

3. Manage risk within context

Context is extremely important when considering project risk, as each organisation will have
different tolerance levels to risks. Various factors (political, technological, legal, societal, etc.)
will impact organisations and industries differently. For example, one organisation might be
particularly vulnerable to its legal environment, while another may need to consider their societal
impacts more closely.

4. Involve stakeholders

When you’re planning for risk, it’s important to call on the expertise of those who will be
involved in the project (e.g team members, contractors), as well as experts within your
organisation that can provide you with advice for planning for risk (e.g senior managers).

5. Ensure responsibilities and roles are clear

While the risk management plan may be owned by one individual such as the project manager or
change manager, it should be operated with transparency and visibility. Everyone should know
the role they play in mitigating risk and responsibilities should be clear and inclusive throughout
the risk management process.

6. Create a cycle of risk review

Once you have identified the risks and made a risk management plan or strategy, it’s important
not to have a set and forget mentality. During each step in the process, all risks should be
evaluated and any interventions or preventative measures should be implemented if needed.

7. Strive for continuous improvement

Once a project has been completed, review how your risk management plan went and whether
there was any room for improvement. Always strive to adapt to how you manage risk and take
these learnings with you to your next project.

Risk Management Framework Components

 A risk management framework consists of several core components, which will help
organizations manage their risks and monitor the effectiveness of their
privacy/security program. These components include;

• Risk identification: Organizations must create an extensive list of all possible

threats to their systems and data, regardless of where those threats originate.
This includes any areas where the organization may find itself falling out of
alignment with the relevant data privacy laws.
• Risk assessment: For each risk identified by the process mentioned above,
organizations will need to create a detailed risk profile, and assign a score to each
risk based on their potential impact. Risk assessments should be carried out at
regular intervals.
• Risk mitigation: Once a thorough risk assessment has been carried out,
organizations will need to establish a plan for mitigating these risks, which will be
prioritized based on their risk score.
• Reporting and monitoring: Organizations must periodically review their risk
identification, assessment, and mitigation strategies to ensure that they are
effective, and produce reports that highlight any areas that need improvement.
• Risk governance: Implement all of the risk management steps defined above.

Risk Management Framework Steps

The National Institute of Standards and Technology (NIST) RMF framework is broken

into 7 steps, which include;

The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable,
and measurable 7-step process that any organization can use to manage information security and
privacy risk for organizations and systems and links to a suite of NIST standards and guidelines
to support implementation of risk management programs
 The NIST Framework helps businesses of all sizes better understand, manage, and reduce their
risk and protect their networks and data. The Framework is voluntary. It gives your business an
outline of best practices to help you decide where to focus your time and money for protection.

1. Prepare: Organizations should take the necessary measures to effectively

prepare for any threats to the security of their systems and data.
2. Categorize information systems: Organizations must ensure that they know
exactly what systems and data they need to safeguard and carry out a detailed
analysis of the impact associated with a breach affecting those systems and data.
3. Select security controls: Organizations will need to identify which security controls
are necessary to protect their systems and data.
4. Implement security controls: Implement the security controls identified in the
previous step, and ensure that all controls are clearly documented.
5. Assess security controls: Determine whether the security controls have been
properly implemented, and achieve their goal of mitigating risks.
6. Authorize information systems: Any systems that are functioning properly and
effectively minimizing risk should be officially authorized.
7. Monitor security controls: Continuously monitor the effectiveness of the security
controls in place, and make changes where necessary. Ensure that all changes are
well documented, and all-important changes should trigger an alert that can be
scrutinized to ensure they are carried out by an authorized member of staff.
COBIT

COBIT (Control Objectives for Information and Related Technology) helps organization’s meet
business challenges in regulatory compliance, risk management and aligning IT strategy with
organizational goals. COBIT 5, the latest iteration of the framework, was released in 2012

COBIT 5 principles
COBIT 5 is based on five principles that are essential for the effective management and
governance of enterprise IT:

• Principle 1: Meeting stakeholder needs

• Principle 2: Covering the enterprise end to end
• Principle 3: Applying a single integrated framework
• Principle 4: Enabling a holistic approach
• Principle 5: Separating governance from management

These five principles enable an organisation to build a holistic framework for the governance and
management of IT that is built on seven ‘enablers’:

Enablers are factors that, individually and collectively, influence whether something will work—
in this case, governance and management over enterprise IT. Enablers are driven by the goals
cascade, whereby higher-level IT-related goals define what the different enablers should
achieve.
 1. People, policies and frameworks
2. Processes
3. Organisational structures
4. Culture, ethics and behaviour
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies

Together, the principles and enablers allow an organisation to align its IT investments with its
objectives to realise the value of those investments.

Benefits of COBIT

The COBIT 5 framework can help organization’s of all sizes:

• Improve and maintain high-quality information to support business decisions.

• Use IT effectively to achieve business goals.
• Use technology to promote operational excellence.
• Ensure IT risk is managed effectively.
• Ensure organizations realize the value of their investments in IT
• Achieve compliance with laws, regulations and contractual agreements.
Risk IT Framework

Risk IT is a set of proven, real-world practices that helps enterprises achieve their goals, seize
opportunities and seek greater returns with less risk. It works at the intersection of business and
IT and allows enterprises to manage and even capitalize on risk in the pursuit of their objectives.

The Risk IT Framework provides a set of guiding principles and supporting practices for
enterprise management, combined to deliver a comprehensive process model for governing and
managing IT risk.

The framework is divided into the following three domains, each of which contains three
processes:

• Risk Governance:
o Establish and maintain a common risk view
o Integrate with enterprise risk management and
o Make risk-aware business decisions
• Risk Evaluation:
o Collect data
o Analyze risk
o Maintain risk profile
• Risk Response:
o Articulate risk
o Manage risk
o React to events]
The Risk IT Framework fills the gap between generic risk management frameworks and detailed
(primarily security-related) IT risk management frameworks.

It provides an end-to-end comprehensive view of all risks related to the use of IT and a similarly
thorough treatment of risk management, from the tone and culture at the top to operational
issues.
CONTINGENCY PLAN

A contingency plan is a course of action designed to help an organization respond effectively to a

significant future incident, event or situation that may or may not happen.

A contingency plan is sometimes referred to as "Plan B" or a backup plan because it can also be
used as an alternative action if expected results fail to materialize. Contingency planning is a
component of business continuity (BC), disaster recovery (DR) and risk management.

steps of a contingency plan

Contingency planning standards include a framework and structure for plan design and
development. The plan structure is a repeatable format that simplifies the development of
contingency and other plans. steps include
1. Contingency planning policy statement. This policy provides the outline and authorization
to develop a contingency plan.

2. Business impact analysis. BIA identifies and prioritizes the systems that are important to an
organization's business functions.

3. Preventive controls. Proactive measures that prevent system outages and disruptions can
ensure system availability and reduce costs related to contingency measures and lifecycle.

4. Contingency strategies. Thorough recovery strategies ensure that a system may be

recovered fast and completely after a disruption.

5. Contingency plan. This is the action plan. It contains the guidance and procedures for
dealing with a damaged or unavailable system. These detailed plans are tailored to the
system's security impact level and recovery requirements.

6. Testing, training and exercises. Plan testing validates recovery capabilities, training
prepares recovery personnel for plan activation and exercising the plan identifies planning
gaps. Combined, these activities improve plan effectiveness and overall organization
preparedness.

7. Plan maintenance. The plan should be updated regularly to remain current with system
enhancements and organizational changes.

Other elements of a contingency plan

In accordance with current domestic and international standards, the following activities are also
recommended for contingency plan development:

• Risk assessment. This step examines internal and external risks, threats and vulnerabilities
to the organization and its technology infrastructure. It also looks at the likelihood of
reoccurrence, the severity and potential impact to the organization, as well as the financial
and operational effects. Best practice contingency planning includes performing a BIA
and risk assessment to identify key risks and preventive measures and strategies to deal with
them.
• Awareness training. Information about contingency plans and the other plan types is
disseminated to employees, company leaders, customers and external stakeholders.

• Review and auditing. This ensures that the plan is examined periodically to check its
consistency with current business and technology practices, as well as the accuracy of
contact data. Periodic audits ensure alignment with relevant controls, standards and
applicable regulations.

• Continuous improvement. Regularly revisiting the plan can help ensure that it meets the
operational needs of the organization.

Business continuity vs. business contingency plans

The terms business continuity and business contingency are often used interchangeably.
However, they differ in the following ways.

Business contingency. A business contingency plan is activated soon after the initial event
occurs and the IR team has made its initial assessments and determinations. The contingency
plan is used to get specific team members involved in mitigation efforts. These people make
short-term decisions regarding how the incident can be managed and resolved.

Business continuity. If contingency planning activities are insufficient to restore business

operations, it may be necessary to declare a disaster and launch a longer-term business continuity
plan as well as a technology disaster recovery plan. BC plans are designed to facilitate the
recovery and resumption of business activities to as close to normal operations as possible.
Benefits of contingency plans

When a disruptive or negative event occurs, contingency plans provide a structure for
assessment and actions to recover from such unexpected events.

The faster the recovery, the less potential there is for damage to occur to the
organization and its employees. Speed in recovery also helps maintain a company's
financial status, competitive position and reputation.

Disaster Recovery

Disaster recovery is an organization’s method of regaining access and functionality to its IT

infrastructure after events like a natural disaster, cyber attack, or even business disruptions
related to the COVID-19 pandemic. A variety of disaster recovery (DR) methods can be part of a
disaster recovery plan. DR is one aspect of business continuity.

How does disaster recovery work

Disaster recovery relies upon the replication of data and computer processing in an off-premises
location not affected by the disaster. When servers go down because of a natural disaster,
equipment failure or cyber attack, a business needs to recover lost data from a second location
where the data is backed up. Ideally, an organization can transfer its computer processing to that
remote location as well in order to continue operations.
5 top elements of an effective disaster recovery plan
1. Disaster recovery team: This assigned group of specialists will be responsible for
creating, implementing and managing the disaster recovery plan. This plan should define
each team member’s role and responsibilities. In the event of a disaster, the recovery
team should know how to communicate with each other, employees, vendors, and
customers.

2. Risk evaluation: Assess potential hazards that put your organization at risk. Depending
on the type of event, strategize what measures and resources will be needed to resume
business. For example, in the event of a cyber attack, what data protection measures will
the recovery team have in place to respond?
 3. Business-critical asset identification: A good disaster recovery plan includes
documentation of which systems, applications, data, and other resources are most critical
for business continuity, as well as the necessary steps to recover data.

4. Backups: Determine what needs backup (or to be relocated), who should perform
backups, and how backups will be implemented. Include a recovery point objective
(RPO) that states the frequency of backups and a recovery time objective (RTO) that
defines the maximum amount of downtime allowable after a disaster.

5. Testing and optimization: The recovery team should continually test and update its
strategy to address ever-evolving threats and business needs. By continually ensuring that
a company is ready to face the worst-case scenarios in disaster situations, it can
successfully navigate such challenges. In planning how to respond to a cyber-attack

How to build a disaster recovery team

Whether creating a disaster recovery strategy from scratch or improving an existing plan,
assembling the right collaborative team of experts is a critical first step.

It starts with tapping IT specialists and other key individuals to provide leadership over the
following key areas in the event of a disaster:

• Crisis management: This leadership role commences recovery plans, coordinates efforts
throughout the recovery process, and resolves problems or delays that emerge.
• Business continuity: The expert overseeing this ensures that the recovery plan aligns
with the company’s business needs, based on the business impact analysis.
• Impact assessment and recovery: The team responsible for this area of recovery has
technical expertise in IT infrastructure including servers, storage, databases and
networks.
• IT applications: This role monitors which application activities should be implemented
based on a restorative plan. Tasks include application integrations, application settings
and configuration, and data consistency.

While not necessarily part of the IT department, the following roles should also be assigned to
any disaster recovery plan:

• Executive management: The executive team will need to approve the strategy, policies
and budget related to the disaster recovery plan, plus provide input if obstacles arise.
 • Critical business units: A representative from each business unit will ideally provide
feedback on disaster recovery planning so that their specific concerns are addressed.

Types of disasters can include:

1) Natural disasters (for example, earthquakes, floods, tornados, hurricanes, or wildfires)
2) Pandemics and epidemics
3) Cyber attacks (for example, malware, DDoS, and ransomware attacks)
4) Other intentional, human-caused threats such as terrorist or biochemical attacks
5) Technological hazards (for example, power outages, pipeline explosions, and
transportation accidents)
6) Machine and hardware failure

How disaster recovery works

Disaster recovery relies on having a solid plan to get critical applications and infrastructure up
and running after an outage—ideally within minutes.

An effective DR plan addresses three different elements for recovery:

• Preventive: Ensuring your systems are as secure and reliable as possible, using tools and
techniques to prevent a disaster from occurring in the first place. This may include backing up
critical data or continuously monitoring environments for configuration errors and compliance
violations.

• Detective: For rapid recovery, you’ll need to know when a response is necessary. These
measures focus on detecting or discovering unwanted events as they happen in real time.

• Corrective: These measures are aimed at planning for potential DR scenarios, ensuring backup
operations to reduce impact, and putting recovery procedures into action to restore data and
systems quickly when the time comes.

Benefits of disaster recovery

Stronger business continuity
Every second counts when your business goes offline, impacting productivity, customer
experience, and your company’s reputation. Disaster recovery helps safeguard critical business
operations by ensuring they can recover with minimal or no interruption.
Enhanced security
DR plans use data backup and other procedures that strengthen your security posture and limit
the impact of attacks and other security risks. For example, cloud-based disaster recovery
solutions offer built-in security capabilities, such as advanced encryption, identity and access
management, and organizational policy.
Faster recovery
Disaster recovery solutions make restoring your data and workloads easier so you can get
business operations back online quickly after a catastrophic event. DR plans leverage data
replication and often rely on automated recovery to minimize downtime and data loss.
Reduced recovery costs
The monetary impacts of a disaster event can be significant, ranging from loss of business and
productivity to data privacy penalties to ransoms. With disaster recovery, you can avoid, or at
least minimize, some of these costs. Cloud DR processes can also reduce the operating costs of
running and maintaining a secondary location.
High availability
Many cloud-based services come with high availability (HA) features that can support your
DR strategy. HA capabilities help ensure an agreed level of performance and offer built -in
redundancy and automatic failover, protecting data against equipment failure and other
smaller-scale events that may impact data availability.
Better compliance
DR planning supports compliance requirements by considering potential risks and defining a
set of specific procedures and protections for your data and workloads in the event of a
disaster. This usually includes strong data backup practices, DR sites, and regularly testing
your DR plan to ensure that your organization is prepared.

Benefits of disaster recovery software

No organization can afford to ignore disaster recovery. The two most important benefits of
having a disaster plan in place, including effective DR software, are:
• Cost savings: Planning for potential disruptive events can save businesses hundreds of
thousands of dollars and even mean the difference between a company surviving a
natural disaster or folding.
• Faster recovery: Depending on the disaster recovery strategy and the types of disaster
recovery tools used, businesses can get up and running much faster after a disaster, or
even continue operations as if nothing had happened.