Table of Contents

2 RISK ASSESMENT..............................................................................................................................1
3 Identify and Prioritize Properties.....................................................................................................1
4 Identify Threats................................................................................................................................2
4.1 Natural Disaster.........................................................................................................................2
4.2 System Failures.........................................................................................................................2
4.3 Accidental human interference.................................................................................................2
4.4 malicious behaviour...................................................................................................................2
4.4.1 interference........................................................................................................................2
4.1.2 Interception........................................................................................................................2
4.1.4 Impersonation.....................................................................................................................2
5 Identify the vulnerabilities..............................................................................................................2
6 Data protection.................................................................................................................................3
6.1 The need for data protection-...................................................................................................3
6.1.1 Example..............................................................................................................................3
7 The right to privacy...........................................................................................................................3
8 Data protection system.....................................................................................................................3
8.1 Fairness, legitimacy, and transparency –.....................................................................................3
8.2 Purpose Limit.............................................................................................................................4
8.3 Accuracy.....................................................................................................................................4
9 ISO 31000 Risk Management............................................................................................................4
9.1 Risk identification:......................................................................................................................4
9.2 Risk analysis:..............................................................................................................................4
9.3 Risk assessment:........................................................................................................................4
9.4 Risk treatment:..........................................................................................................................4
2 RISK ASSESMENT
In an organization to understand cybersecurity is to managing, controlin the organization risks and
critical assets. In an organization, some important tasks should be cover before starting an IT security
risk assessment. Looking over the organization information technology assets, looking over the
threats that affect the functionality of organization business and top five business processes that
utilizes and required this information.
risk assessment Elements in the relationship between three factors. For example, suppose you want to
explore the dangers posed by the threat of hackers compromising a certain system. To identify any
risk for an organization there are procedures following some steps of IT risk assessment described
below

3 Identify and Prioritize Properties

Assets include servers, customer contact details, sensitive partner documents, trade secrets and more.
Remember, what you as an expert think is important may not be the most important thing in business.
Therefore, you need to work with business users and managers to create a list of all-important assets.
For each property, include the following information, as applicable:

Software
Computer hardware
Data
interfaces

4 Identify Threats
4.1 Natural Disaster
Natural Disasters are all the disasters created by nature like floods, hurricane, fire and earthquakes
that destroy all data, servers and appliances. There should be a good plan when deciding where the
server room must be taken into consideration the threat of the natural disaster.

4.2 System Failures

Depends on the devices and systems used for example if it is used an old system or computers the
probability of failure is more likely comparing with high-quality equipment that the failure is
minimise

4.3 Accidental human interference

no matter of the business that is accidentally everyone by mistake can delete important files or click
on malicious emails or damage the devices. To avoid all this is recommended that regularly back up
your data including your system settings and configuration of your system

4.4 malicious behaviour.

There are three types of this behaviour:

4.4.1 interference is when someone does damage to your business by deleting data, DDOS
engineering on your website, physical or computer theft, and so on.

4.1.2 Interception is to steal your information.

4.1.4 Impersonation is a misuse of someone else's information, usually obtained through a civil
engineering attack or attack, or purchased on a dark web.

5 Identify the vulnerabilities

Being at risk is a weakness that can allow a threat to harm your organization. Risk can be identified
by analysis, audit reports, NIST database risk, vendor data, information and testing (ST&E)
procedures, penetration testing, and automated scanning tools.

Don’t keep your focus on software damage; there are also physical and human weaknesses. For
example, having your own server room in the basement increases your risk of flooding, and failing to
educate your employees about the dangers of clicking email links increases your risk of malware
threats.[ CITATION Ili18 \l 1033 ]

https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/

6 Data protection
a law designed to be used to protect and control personal data from corporate harassment so that you
do not share other personal data without notifying us
6.1 The need for data protection-
The importance of data protection increases as the amount of data generated and stored ends up
growing at unprecedented rates. There is also little tolerance during breaks which can make it difficult
to get important details.
As a result, a large part of the data protection strategy ensures that data can be restored immediately
after any corruption or loss. Protecting data from compromising and ensuring data privacy is another
important data protection feature.

6.1.1 Example
The coronavirus pandemic has caused millions of workers to work from home, resulting in the need
for remote data protection. Businesses need to adapt to ensure they protect data wherever employees
are, from the information center in the middle of the office to home laptops. (Paul Crocetti)
https://searchdatabackup.techtarget.com/definition/data-protection

7 The right to privacy

is recognized by the international human rights body of the Universal Declaration of Human Rights
for the purpose of exercising the right to privacy with individuals when they require the disclosure of
personal information from private companies and individuals.

8 Data protection system

here personal information is processed and collected by a private organization or the general public
for use, due to data protection law organizations must process the data in accordance with the data
protection law using the following principle

8.1 Fairness, legitimacy, and transparency –

the collection of personal data Injustice and disclosure is essential to prevent unforeseen
occurrence and should be considered legally when selling and / or transmitting personal
information. The key to the legal protection of personal information is that information must be
collected and processed with respect to legal process.

8.2 Purpose Limit

The information collected must be used for a specific and unambiguous purpose in the
collection of personal data for use for any other purpose other than the personal need without notice or
correction. This policy is very important and should be clearly understood by the data collection
organization that will be used only for the intended purpose.

8.3 Accuracy
The data collection organization must ensure throughout the process all the steps taken in the process
are accurate to avoid the high risk of data loss.
9 ISO 31000 Risk Management
ISO 31000 is an international standard published in 2009 that provides guidelines and guidelines for
effective risk management. It sets out a standard risk management approach, which can be applied to
a variety of risk factors (financial, security, project risk) and can be used by any type of organization.
The standard provides the same vocabulary and concepts to discuss risk management. Provides
guidelines and principles that can help make a critical review of your organization's risk management
process.
The risk management process described in ISO 31000 standard includes the following functions:

9.1 Risk identification: identification that can prevent us from achieving our goals.
9.2 Risk analysis: understanding the sources and causes of identified risks; to study the
opportunities and outcomes given by existing controls, to identify the level of residual risk.

9.3 Risk assessment: comparing the results of a risk analysis with the decision-making methods
to determine whether a residual risk is tolerable

9.4 Risk treatment: changing the size and probability of side effects, good or bad, to achieve an
increase in the value of the benefit.

Establishing the context: this work, which is not included in the definition of the previous disaster risk
management process, consists of defining the scope of the risk management process, defining the
organizational objectives, and establishing a risk assessment process.

In the IT field, engineers and technicians are constantly on the lookout for security breaches in their
system. Any situation of this nature may result in data loss and operation shut down. These are the
biggest problems that no business can afford because they can cause irreparable damage to a
company's financial resources, business competition, and trust recognition.

IT Audit is an effective defense system against cybercrime and other security gaps in its in-depth
assessment of the company's IT infrastructure and staff roles. Usually, auditors conduct staff
interviews, risk assessments, and a series of tests to test your security system.