Introduction

IT Security is whereby the implementation and security measures are made according to an organizations security needs in order to protect different types of assets of the organization.

IT security management is the procedure that has been made to be able to prevent, detect and recover from threats that are trying to gain information from a system.

The security mechanisms of ITSM are:

• Prevent
• Detect
• Recover

The ITSM  3 main cores are:

• Confidentially
• Integrity
• Availability

And they are 2 other cores that aren’t discussed as much, these are:

• Accountability
• Authentication.

Task 1 a – Types of security risks

Identify types of security risks to organizations; you should include examples from a range of different categories of threats

Evaluate the types of security risk to organizations, detailing which are more likely to occur and what the potential consequences to an organization are.

You should support your description with accurate, up-to-date information from reputable sources.

Introduction

A risk a situation that will involve the exposure of danger. And a threat is when a person is likely to cause the danger. That will mean that the person who is causing the malicious acts, is the threat.

They are 4 types of threats, which are:

Internal Threats

Research conducted by the US Computer Emergency Response Team (Cert) estimated that up to 40% of IT security threats are perpetrated from within the company.

• Downloading and executing malicious content – this is the most common threat to security and happens when employees visit malicious websites or download malicious content either knowingly or unknowingly.
• Network attacks – research concluded that these attacks are often done by system administrators with privileged access on the network. Who better to attack the system than the very people that manage it?
• Information theft – employees could often steal information directly from the machines by using USB drives and / or digital cameras and walk right out of the front door. This is a serious threat since it is often difficult to notice if any data has been leaked.

Edward Snowden

Edward Snowden also known as the NSA whistleblower was a former CIA employee that worked for the government of the United States. In 2013 he stole sensitive information about global surveillance programs and leaked it online that caused mass panic around the world.

Figure 1 – Edward Snowden

Source : https://en.wikipedia.org/wiki/Edward_Snowden

External threats

As the name suggests, these are threats originating from outside the organization. These threats are difficult to foresee hence making them difficult to counter.

• Espionage – during the Cold War, Russia had the upper hand on everything the United States was doing since they had a spy infiltrate the country. Today, espionage is uncommon among countries but common among corporations. Once infiltrated, the attacker has access to sensitive data.
• Terrorist threats – these are rare incidents but cause unforeseeable damage to organizations. The actual damage done is only known after the incident has been resolved.
• Destruction – in 2003, a teenager wrote a computer worm without any specific target and released it to the internet. The worm spread like wildfire and caused nationwide panic. It destroyed power lines and delayed air traffic.

Stuxnet

Stuxnet is a malicious computer worm that was detected in 2010 that targeted Iran’s nuclear program. This was the first cyber-attack in history directly to the underlying infrastructure of a country. Speculations arose that the worm could’ve been a collaborated work of America and Israel but neither country took responsibility. The worm infected Programmable Logic Controllers (PLCs) by either increasing the speeds in the centrifuges causing them to overheat or decreasing them completely collapsing them.

Figure 2 -Siemens PLC CPU

Source : https://en.wikipedia.org/wiki/Stuxnet

Physical threats

Physical threats are another form of unpredictable threats such as fires, thefts or natural disasters. Nonetheless, they are capable of doing serious damage to information systems.

• Theft or burglary – these are common when the physical security of the organization is weak. Attackers can break in and physically steal sensitive information and also cause destruction to the infrastructure rendering the data irrecoverable.
• Fires – depending on the localization of the organization or the infrastructure contained in the organization.  If the organization deals in flammable material such as diesel or petrol, it could be prone to fires.

Japan earthquake

In 2011, the Northeast coast of Japan was hit by an earthquake of magnitude-9.0. It left only destruction along its path. The aftermath of the incident left companies such as Toshiba and Sony damaged after the loss of sensitive data. This not only affected Japan but all countries that have corporate relations with it. Despite all that, it was difficult to estimate the exact loss of data that was incurred during the incident.

Figure 3 – Burning oil refinery in Japan after the quake

Source :http://www.nytimes.com/2011/03/12/business/global/12yen.html?mcubz=3

Social Engineering

Social engineering is the art of deception and manipulation of people in order to have them disclose confidential information. The type of information sought includes but not limited to banking data, passwords, and full control of root systems.

Why use social engineering?

When it comes to security, it’s all about who and what to trust. It is much easier to coerce someone into giving their password than to try hacking it. People are more comfortable visiting malicious websites when asked by a friend or coworker.

Commonly used social engineering attacks

Emails from acquaintances

When a person with malicious intent successfully infiltrates any one person’s email in a company or institution, they can use the contact list to send out malicious emails to the contacts. The receivers will be deceived into thinking that the email is from an acquaintance when in reality; it is controlled by the hacker.

Emails with attachments

These types of emails contain some form of link or file that the user is coerced into downloading or visiting. These emails prey on the curiosity of the human mind and are most commonly used by hackers.

Phishing

This is one of the easiest ways to gain access to sensitive data although not the best if the targets are well trained. The idea is to create a similar website and send a link to the victim either through email or other means. The victim is deceived into believing that the website is legitimate and once sensitive data is entered, the attacker gains access.

Figure 4 – Phishing

Source: https://ucldigifest.org/course/phishing-and-social-engineering/

Worms

Worm is a type of malware that is self – replicating. Worms does not alter anything in your computer system, it is named worm because of its peculiar feature to creepily spread from one computer to another within the network of the infected computer system.

Unlike viruses, the worms will not attach itself to an existing program, instead they have an ability to spread themselves through the network or any external drives connected to the infected computer by easily attaching themselves. They can also automatically move through machines that are connected in the same network as the infected machine. They are three types of worms, email worms, instant messaging worm and file sharing network worm.

 What makes them dangerous is that they do not require human interaction to spread and execute themselves on victim machines. They rely on the vulnerabilities of either the operating systems or unpatched software on the victim machine.

Figure 5 – Worms

Source:  https://www.certificationkits.com/cisco-certification/ccna-security-certification-topics/ccna-security-describe-security-threats/ccna-security-worm-virus-and-trojan-horse-attacks/

Trojans

This one of the most complicated threats among all. This is a program that isn’t like a virus that is contained or installed by a malicious program. Sometimes a Trojan horse might be called a payload. Most of the popular threats in banking come from the Trojan family like Zeus and SpyEye.

The Trojan has the ability to hide itself from an antivirus detection and this assists them in easily stealing important data. In case the Trojan is extremely powerful than it can also take over the entire security system, this may result to many types of damages, which can start from your own computer to your online accounts as well.

Figure 6 – Trojans

Source: http://hackerdeepakbhardwaj.blogspot.co.ke/2014/03/how-to-protect-your-website-from.html

Botnets

Botnet is installed by a BotMaster/BotHerder to be able to take control over all the workstations that have the Botnet Infection. A botnet is a group of workstations that are all connected to the internet and have been compromised  by a virus or a Trojan horse. The individual workstation is known as a zombie computer.

The zombie workstations are all under the command of the BotMaster and usually perform the activities instructed by the Master. For example, the zombie workstations can disturb spams to the email contact addresses and become sufficiently large in number. This can then be used to access and target websites and spread as a DOS and bring down web servers. Google and Twitter have both been victims of DOS attacks.

Figure 7 – Botnets

Source: http://news.bbc.co.uk/2/hi/technology/8010729.stm

Keyloggers

A keylogger is usually a sub function of a Trojan horse, which will keep a track of every key you press on the keyboard. This is a powerful threat which is usually used to obtain or steal login credentials like the username and passwords of users.

Figure 8 – Keyloggers

Source: https://www.lastline.com/labsblog/detecting-keyloggers-on-dynamic-analysis-systems/

Malware

This is a general term which is used to describe many types of software’s that can affect your computer system.

Figure 9 – Malware

Source: https://securityintelligence.com/mobile-malware-why-fraudsters-are-two-steps-ahead/

Denial of Service (DOS) / Distributed Denial of Service (DDOS)

The DOS and DDOS is a very easy to send to a computer. The DOS makes a connection to a service port and sends requests to the computer. If a computer can handle 20 requests per second, the DOS will send 50 requests per second and this causes the host computer to be unable to identify the difference between the fake requests and the real user requests.

Figure 10 – DOS / DDOS

Source: https://security.stackexchange.com/questions/48539/how-does-a-distributed-denial-of-service-attack-work

Scareware

This is basically like a trick that is put into your system that informs you that you have so many infections which are apparently not even there and it makes you buy a very useless anti malware program which claims that all threats are eliminated even though they were no threats. It is used to scam people out of money by scaring them to buy the anti-malware program.

Figure 11 – Scareware

Source: https://slcc.service-now.com/help/kb_view.do?sysparm_article=KB0010584

Spamming

Spamming is also known as IP Spoofing, this will pretend to be an IP of a specific network and create the illusion of being a valid IP address by creating IP packets will be disguised as genuine with the intentions of harming the actual owner of that specific IP address in the network. The IP

Figure 12 – Spam

Source: http://blog.analytics-toolkit.com/2015/guide-referrer-spam-google-analytics/

Exploits

This is a form of software that has been programed to specifically attack certain vulnerability in the system. For example if a browser has vulnerability like out of date flash plugins then an exploit can work on the browser and plugin.

Figure 13 – Ransomware

Source: https://blog.barkly.com/how-ransomware-infects-computers

Cookies

Cookies are used by most of the websites, the cookie will store things onto your computer to be able to keep track of the activities that are done within their website.

Figure 14 – Cookies

Source: https://catalog.flatworldknowledge.com/bookhub/5227?e=collins-ch15_s06

Virus

A virus was a really popular 10 years ago. The virus is a malicious program that will replicate itself and will only destroy a computer. The virus was only made to destroy the computer system beyond repair or can’t be able to operate properly.

The virus today is only used by very few individuals. The virus can be used to destroy your data but they usually need a human / host to spread the virus from one system to another, even if the user is unaware they are spreading the virus.

Figure 15 – Virus

Spyware

Spyware is a type of malware that has been designed to spy on the computer is has infected. Once your machine is affected by spyware, it will keep track on the activities performed by the user and will find a way to contact the host. After knowing all your activity, the host of the spyware makes scams to cheat on your money. The most common spywares are Gator, Bonzi Buddy, 180 Solutions, XXXDial, Euniverse, CoolWeb Search, Cydoor, Xupiter and many other.

Figure 16 – Spyware

Source: https://www.cs.bham.ac.uk/~mdr/teaching/modules03/security/students/SS1/handout/handout.html

Adware

This is a threat, in which the computer starts having pop ups of a lot of advertisements. The adware can make the host any some money, when the pop ups come up in the infected machine. This is not a really harmful threat, but this can be pretty annoying. The adware is embedded into a software without the user of the machine being aware. Adware is mainly used in softwares that are disturbed for free. The advertisement is a working interface and can often gather and transfer personal information of the user to a distributor person.

Figure 17 – Adware

Source: https://blog.stopad.io/2017/08/31/what-to-do-if-your-ad-blocker-isnt-blocking-ads/

Browser hijackers

This uses a Trojan horse to take control over a victims browsing session. This threat can be extremely dangerous especially when the victim is sending money via an online banking account because this will be a perfect time for the hijacker to change the destination of the bank account and even how much money is being sent.

Mouse trapping

A mousetrapping is a malware that will trap your web browser onto a particular website. No matter what you do it will open onto that website only. If you  go forward, backward, type in another website or even restart the browser, you will be redirected onto that website.

SQL Injection

The SQL Injection is a malicious code that is made only to target a SQL server or a database to be able specifically obtain the valuable information that is stored in it. This is an unauthorized access attack in order to obtain valuable information.

Figure 18 – SQL Injection

Source: https://www.w3resource.com/sql/sql-injection/sql-injection.php

Man-in-the-middle

The man-in-the-middle is the among one of the most dreadful threat, which is an intrusion being established on an independent connection whereby both sender and receiver are infected. All the messages are intercepted and modified, it takes place so smoothly that both of the individuals are not aware that someone is overhearing the conversation and this can also expose the whole network to several other threats.

Figure 19 – Man-in-the-middle

Source: https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/15_Security.html

Rootkits

A root kit is used to obtain administrator level access to a computer or to a network with the collections of tools that it has. The rootkit can easily be installed by exploiting a vulnerability in an application and it may contain a spyware which is bale to monitor and record all your keystrokes.

 Ransomware or crypto ware

This is a new type of malware. This is a malware that is installed onto your system and starts making all your files unreadable. The host of this malware is holding your entire data hostage until you pay the host a ransom for all your data. The ransomware can be delivered by a virus or worm and there is no guarantee that after you pay the ransom, that the data will be restored.

WannaCry ransomware brief

The most recent and devastating attacks of 2017 was probably the WannaCry ransomware. This malware target machines running Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin currency¹. Although the vulnerability exploited by the malware was not a zero-day² flaw, it still affected several machines. It spread itself across the network without human interaction by exploiting the Server Message Block (SMB) port. The attacks could be prevented by patching the SMB port. Estimated number of victim machines were up to 300,000 worldwide. In just a few days, essentials in daily life were interrupted including but not limited to hospital equipment such as MRI scanners in Scotland and Wales.

1. Worldwide cryptocurrency and digital payment system.
2. Vulnerability in a machine that’s not reported publicly

Figure 20 – WannaCry screenshot after infecting victim machine

Source : https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#Impact

Task 1 b – Organizational Security Procedures

Valuate organizational security procedures

You should write a report for a thorough risk analysis of the microfinance I.T. (systems, network, databases, web system, wireless system, etc.) You should refer to industry good practice and reference examples of procedures being used elsewhere.

Introduction

The organizational security procedures are laid out to be able to provide a secure platform for all the users. To prevent most of the threats, the main procedure of the company will be:

• Install, always update and do daily scans with your antivirus. Make sure you install an antivirus that is trusted for example BitDefender, Norton or Kaspersky.
• Turn on the firewall, always update and do daily scans on the computer with your firewall
• Back up files daily.
• And below are some ways to prevent some of the most common threats:

Email Threats

• Block unnecessary or dangerous email attachments
• Scan attachments before downloading
• Keep a continuously monitoring, detecting and threat hunting process.

Phishing

• Organize a spam filter to assist in detecting viruses (can be done by the antivirus).
• Download all system and software updates.
• Organize a web filter to block malicious websites (can be done by the antivirus).
• Encrypt all data of the company whether it is sensitive or not.
• Instruct all employees to encrypt when telecommunicating within the company.
• Employees are always required to check the source of an incoming mail.
• Organize a content filter to block any threats (can be done by the antivirus).

Worms

• Employees are always required to check the source of an incoming mail
• Organize a spam filter to assist in detecting viruses (can be done by the antivirus).
• Organize a web filter to block malicious websites (can be done by the antivirus).
• Organize a content filter to block any threats (can be done by the antivirus).

Trojans

• Only execute programs from a trusted source
• Any attachments with the extension.exe.vbs should never be opened
• Always scan all removable drives or any external drives before opening them.
• Download all system and software updates.
• Do not allow any programs to send out any instant messages from applications.
• Before downloading anything from the internet, scan it before using it.

Botnets

• Any links that you are unsure about, do not click onto them.
• Make sure all software’s are up to date.

Keyloggers

• Do not allow any user to download and install any freeware software’s onto the computers.
• Organize a content filter to block any threats (can be done by the antivirus).
• Install an intrusion detection system and monitor it (this is provided with a few of the antiviruses)
• You can change your account to limited – user mode by:
  • Click on “start”
  • Then choose “Control Panel”
  • Then double click on “User accounts”
  • Select “Create a New Account”
  • Name the new account
  • Click on “Next”
  • Choose “Limited” when the account is asked
  • Then click “Create Account”

Malware

• Use multiple strong passwords
• Organize a URL filter to block any threats (can be done by the antivirus).
• Manage sites that users can visit and block sites that have malicious content.

DDOS/DOS

• Configure the firewall to restrict the packets that come into the server and leave the server.
• Get a software to monitor all the packets being received by the server to be able to detect any counterfeit packets.
• Download all system and software updates.
• Organize an email filter that can filter out all the emails with threats and cancel them out
• Block unnecessary or dangerous email attachments
• Scan attachments before downloading
• Keep a continuously monitoring, detecting and threat hunting process.

Scareware

• Make sure you are certain and careful when going through a site, some sites will have fake message boxes that will trick you into installing the threat. Kindly disobey them and if the antivirus has already seen the threat, it will easily dismay it and will not let it into your computer.
• Do not pay any amount for a software that you are unsure about.
• Head to a site that specializes in removing malwares, for example https://forums.malwarebytes.com. On this site they are people who have been trained in the art of recognizing and removing malware and they volunteer. The volunteers will guide you step by step on what to do and this will also include which scans need to be done and what software programs can be downloaded to successfully remove a scareware.

Spamming (IP Spoofing)

• Do not give your email address online
• Make sure your username and email address are different
• Never respond to spams. Block the spam and report it.
• Use the Access Control List (ACL) to assist in the preventing falsified IP addresses to enter.

Exploits

To avoid an exploit, the software’s are required to be up-to-date so that all patches are done and the vulnerabilities can be fixed.

Cookies

A cookie can be easily rejected by the browser you are using. This will remove the existence of the cookie.

Virus

• Do not download attachments that you are unsure about
• Before downloading or installing an application, use your antivirus to scan it.
• When using external storage devices like flash drives, scan all of them before opening them.

Spyware

• Do not click on links in pop-up windows because almost 95% of such links are linked to a spyware. By clicking on the link, you are allowing the spyware to be installed onto your machine

Adware

• If you have any applications that have pop-up ads with them, kindly uninstall them.
• If you are using a browser, you can set the setting to block pop ups from opening by themselves.
  • Click on “Settings”
  • Then click on “Websites”
  • They will be a heading with “Pop-ups” on it
  • Select “Do Not allow any site to show pop-ups (recommended)”

Figure 21 – Pop Up prevention

• If you have any applications that have pop-up ads with them, kindly uninstall them.

To make sure that you do not have any adwares, you can use the following tools:

• For removing pop-up ads adware – use AdwCleaner = https://www.malwarebytes.com/adwcleaner/
• For removing pop-up ads browser hijacking – use Junkware Removal Tool = https://www.malwarebytes.com/junkwareremovaltool/
• For removing pop-up ads virus – use Malwarebytes Anti-Malware = https://www.malwarebytes.com
• To make sure they are no pop up ads infections – use HitmanPro = https://www.hitmanpro.com/en-us/hmp.aspx

Browse Hijacking

• Always make sure you operating system and browser are up-to-date
• Use safe browsing programs like Google Chrome or Mozilla Firefox. When use Google Chromes safe browsing programs, all browsers that show a warning of Maleficent sites.
• Disable Javascript in the browser.
• If you are not sure about a link, do not click it.

Mouse trapping

You can never get out of this threat unless you remove the browser containing it.

SQL Injection

• Limit database privileges by creating multiple database user accounts with the minimum levels of privileges for usage
• Try and avoid putting constructions of SQL queries with the user inputs
• All unnecessary database capabilities need to be eliminated
• Apply all software patches
• Continuously monitor the SQL statements that come to and from a application that is connected to the database.

Man-in-the-middle

• Use public key encryption to send anything
• Set up strong passwords
• Set up high level secret keys to strengthen mutual authentication
• Use time testing techniques like the Latency Examination. If a mail that took 20 seconds to be delivered from the senders end then the mail cannot exceed 60 seconds, if it does then there is an attacker.

Rootkits

• Use anti spyware programs like Windows Defender or Spyware Blaster (some antiviruses have it included)
• Use Ad blockers like ghostery or Adware blocker. Most web browsers have a built – in anti-phishing tools that can be turned on.
• Always make sure you operating system and applications are up-to-date

Ransomware

• When opening attachments, scan them first
• Show all hidden file extensions
• If you get an email with an .EXE extensions, scan it with the anti-virus
• Any file that is running from local app data or app data folders, disable them.
• Disable the RDP and use a crypto locked prevention kit
• Always make sure you operating system and applications are up-to-date
• When you detect a ransomware on your machine, immediately unplug the network cable
• Use the system restore to go back to the state where there is no ransomware by setting the BIOS clock back.

Securing the system

• Choose an OS with:
  • More security
  • Less vulnerabilities
  • Limited users accounts with all file permissions
  • Regular updates and patch work
  • Software and system updates should be done immediately.
• Choose a browser with:
  • More security
  • Less vulnerabilities
  • Disable scripts
  • Independent computer security analysts and crackers say
  • Google chrome is a safe and secure browser because of its sandbox feature.
• Always set a strong password
• Only download data from trusted and reputable sources
• Do not install any software’s without scanning them.
• Use a good antivirus because todays antiviruses are programmed to detect, prevent and resolve malwares, key loggers, viruses, Trojans, rootkits and worms. Use one of the following anti-viruses:
  • BitDefender – https://download.bitdefender.com/resources/media/materials/2017/userguides/en_EN/bitdefender_av_2017_userguide_en.pdf or
  • Norton – https://support.norton.com/sp/en/us/home/current/solutions/v59829727_EndUserProfile_en_us or
  • Kaspersky – https://www.kaspersky.com/internet-security
• Keep your antivirus up to date and have the antivirus scan your computer daily.
• Download and install a firewall or use the firewall provided on Windows or your Antivirus
• Disconnect all ports so that the hackers are not able to use ports to spread threats.

Securing the network

• Install, always update and do daily scans with your antivirus. Make sure you install an antivirus that is trusted for example BitDefender, Norton or Kaspersky.
• Turn on the firewall, always update and do daily scans on the computer with your firewall
• Back up files daily.
• Step up an intrusion detection system that will be able to continuously monitor the network and/or system activities for any suspicious activities and it will produce the reports.
• Use IP security. IP security is a protocol that authenticates and encrypts each and every IP packet in all sessions. This establishes a mutual authentication between 2 agents from the beginning and it will use cryptographic keys during the session.
• Use a packet sniff in every computer. All the packet sniff does is captures all packets of data which pass through from a given network. The packet sniff will only capture packets that are meant for the machine it is in. there is a setting that can be places as random mode and in this mode the packet sniffer will be able to capture the packets traversing in the network without regard of the destination

Securing the database

The best ways to be able to protect the database is to:

• The database and the web server should be separated – the separating will make the set up more complicated to crack into and this is beneficial to secure company data.
• Stored files should be encrypted
• The backups are encrypted
• Web application firewalls can be implemented
• The patches and updates of all software’s are done
• The use of 3^rd party application is minimized or no 3^rd party applications are used unless they are trusted and verified
• Servers are nor shared
• All security controls are always enabled.

Securing the web system

• Implement 2 servers, one for internal applications and the other for external application
• When testing and debugging an application, use a separate server
• Website activity should be audited and the logs should be stored in a secure location
• All developers are educated with the sound security coding practices
• The operating system and web server should be up-to-date at all times
• Application scanners are used.

Securing the wireless system

• Encryption is activated
• Firewalls are on, in all servers, and end point devices
• Guest networks are turned off
• A VPN is used
• Router firmware is always up-to-date
• Wi-Fi protected setup is turned off
• MAC Addresses are filtered
• Network access control is used
• Web content and/or applications are filtered

Task 2 a – Risk assessment

Discuss risk assessment procedures

You should explain what is risk assessment, its importance, why organizations need to carry out and the steps/procedures followed when carrying out a risk assessment procedure

Introduction

Risk assessment is where by the hazards or negative impacts that affect a company are identified. The assessment will give an in depth analysis on how much damage each risk can do to the company and how to reduce the impacts to the company’s’ operations.

Importance of risk assessment

The risk assessment has become an important process in computing because it is the form of an integral part for the health and safety plan of the company. The risk assessment assists in:

• Creating or developing an awareness of the risks, hazards and/or threats to a company
• Being able to identify who or which asset will be at risk
• Deciding whether the company has control measures in place that is required for a particular hazard.
• Deciding if the control programs that are existing will be able sufficient or more control will be required
• When all of this is done at the designing / planning stages then this prevents any injuries or illnesses
• Hazards will be prioritized and according to the control measures will be put in place
• Wherever applicable, the legal requirements will be met.

Why do a risk assessment?

In todays world a risk assessment has become a necessary tool for a company. The risk assessment ensures the safety of all assets of the company in case of any danger around the place. The risk assessment will ensure that almost all hazards have a control measure in place.

For example, in case a fire breaks out in the company, the company already has a control measure on how to evacuate the building and has a fire point to ensure that everyone from inside is safe. The fire department request companies and individuals to do fire drills to train all the people of the company to be able to evaluate calmly and in an orderly manner and each company is required to have fire Marshalls (are trained to put out fires and assist others in case of a fire, they wear a neon vest on top that stands out and helps evacuate everyone on time), fire extinguishers and other control measures are taken.

Just like the example above, the company has to keep control measures for all hazards that have been identified in case of any of them arising in the near future, thus making a risk assessment a very crucial step to take, in order to keep all assets safe in case of a threat.

The process of risk assessment

There is a risk assessment framework that will make it very easy for a company to prioritize the assets and easily keep records of all assessments. The risk assessment is done according to the type of business and industry the company falls under and the laws of compliance are considered as well. But the risk assessment stages still remain similar and can be followed for almost all types of businesses.

Figure 22 – Risk Assessment

Source: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-isms

The main questions asked during a risk assessment are:

• What would be harmed in the organization?
• How bad would it be?
• How can it be prevented?

The main aims of a risk assessment are:

• To identify almost all threats
• To determine the risk the threats cause
• Develop mitigation or transfer or acceptance of threat
• Assist in protecting the company and the company assets
• Make sure the company leaders make the correct decisions.

Stage 1 – identify threats, risks and vulnerabilities

The risk assessment stage 1, is about the different types of negative impacts that can affect the and to determine the negative impacts, the following things are done:

1. Asset Characterization – these are the assets that are going to be affetced by the negative impact, which are:
   1. People
   2. Property
   3. Reputation
   4. Property information / data
2. Criticality analysis is used in understanding which assets are critical and this is mission related. Descirbes the assets, in which location they are and in type of assets do they fall under. And to assign a numerical and relative value of the asset.
3. Threat identification – this is where almost all threats are identified and categorized.
4. Consequence analysis – this is where the consequence of the threat / hazard is done. Which losses can be made Human life, Property, Property information and the Reputation of the company and this can impact the environment and economy
5. Vulnerability analysis – they are 3 steps to be able to do the vulnerability analysis. First you have to define the vulnerability and then evaluate it and identify what it affects
6. Probability assessment – this is where the probabilities of the vulnerabilities is done based on the historic data and statistics.

A risk is assessed and priorized then managed

Stage 2 – risk evaluation

This is the stage in which we discuss the ways in which we can prevent or protect assets from the threats and hazards listed above.

1. Countermeasures – we come up with different countermeasures to know which opportunities can be used in case of a disaster.
   1. Mitigation Opportunities – have safety, are secure and develop policies as well
   2. Enforcement
   3. Costs
2. Safety – in case of any threat or hazard, how will we keep the assets of the company safe?
   1. Safety – which places aresafe according to a specific threat and what is the most safe location in the whol building.
   2. Safety – which assets need to be kept safely or be provided with safety.
   3. Security – what assets would require to be kept in a secure location after working hours.
   4. Policy development and implementation – a policy can be created according to the companys’ requirements and this will assist in keeping the company in life.

Task 2 b – Data Protection Processes and Regulations

Evaluate data protection processes and regulation as applicable to an organization

Comment on legislation and best practice guideline that will affect the choice of data protection processes and explain their importance in determining the processes that will be adopted

Introduction

Data protection is when the data of an organization is protected and has legal controls on the access of the set data.

ICT Legislation

ICT legislation is a computer crime growing industries that causes a lot of money to be lost yearly due to computer misuse and fraud. Legislation is a law that has been passed by the government.

The purpose of ICT legislation is to protect confidentiality of information stored about an individual. To provide ways for people to seek court action if the rights have been violent. To minimize the effect of exposure to uncensored material. Observe copyright for those who create software.

A ICT policy outlines how the ICT strategy will be put into operation.

What is the impact of legislations on these policies – Legislations will affect the content of ICT policies. E.g. the writing of the security policy will be affected by the computer misuse act. The acceptable use policy will be affected by the health and safety act.

Data Protection Act 1998

This act was implemented by the EU Directive to protect anyone who processes personal data. The data act 1998 replaced the data act 1984 of UK.  The main purpose of this regulation is to control the path of the information and how it is handled. This gives the legal rights to individuals to store personal information. The data act has 8 principles for the control of personal data storing and processing, which are:

1. The data is required to be collected and used fairly and within the law
2. The reasons given to the information commissioner is up held and can only be used according to those reasons
3. The purposes of the data need to be registered with the law and disclosed to only the personnel that have been registered for accessing that information / data. The data / information cannot be sold or shared unless, it has been stated that it will be sold or shared from the beginning.
4. Depending on what is on the registered entry, the information has to be relevant, not excessive and on point. This is to make sure that the individual has a specific amount of information to do the job and not too much unnecessary and not required information.
5. The information that is there is required to be up to date in case of any emergency. For example, if someone changes their phone numbers, the phone numbers that are stored need to be updated.
6. Information cannot be stored for long periods. For example, if a customer closed an account, the information of the customer needs to be deleted as it becomes void and unnecessary for the company.
7. The data that is within the system needs to be kept in a very safe and secure. The data is required to be backed up and kept away from unauthorised access. The data that is stored would go to wrong hands and cause of this it can be opened and viewed and shared to anyone.
8. If data needs to be transferred outside the EU country than that country receiving the data is required to have a suitable data protection law. Due to this, majority of the countries worldwide have come up with similar data protection laws which enable the countries to be able to have data centres in them.