I.

Discuss risk assessment procedures

(P5).
Security risk has become a leading priority for organizations as they embrace digital
transformation and leverage advanced technology solutions to drive business growth and
optimize efficiencies. Additionally, many organizations are increasingly reliant on third-party
and fourth-party vendors or programs. While these resources can unlock and drive business
success, they also introduce new threats and expand digital attack surface.
Security risk is the probability of exposure, loss of critical assets and sensitive information, or
reputational harm as a result of a cyber attack or breach within an organization’s network.
Across industries, cybersecurity must remain top of mind and organizations should work to
implement a cybersecurity risk management strategy to protect against constantly advancing
and evolving cyber threats.
 Risk assessment.
A security risk assessment identifies, assesses, and implements key security controls in
applications. It also focuses on preventing application security defects and
vulnerabilities.
Carrying out a risk assessment allows an organization to view the application portfolio
holistically—from an attacker’s perspective. It supports managers in making informed
resource allocation, tooling, and security control implementation decisions. Thus,
conducting an assessment is an integral part of an organization’s risk management
process.

 How to do risk assessment.

Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk
assessment models. Organizations can carry out generalized assessments when
experiencing budget or time constraints. However, generalized assessments don’t
necessarily provide the detailed mappings between assets, associated threats, identified
risks, impact, and mitigating controls.
If generalized assessment results don’t provide enough of a correlation between these
areas, a more in-depth assessment is necessary.
- 4 steps of security risk assessment:
o Identification. Determine all critical assets of the technology infrastructure.
Next, diagnose sensitive data that is created, stored, or transmitted by these
assets. Create a risk profile for each.
o Assessment. Administer an approach to assess the identified security risks for
critical assets. After careful evaluation and assessment, determine how to
 effectively and efficiently allocate time and resources towards risk mitigation.
The assessment approach or methodology must analyze the correlation
between assets, threats, vulnerabilities, and mitigating controls.
o Mitigation. Define a mitigation approach and enforce security controls for
each risk.
o Prevention. Implement tools and processes to minimize threats and
vulnerabilities from occurring in your firm’s resources.

 The Three Components of a Security Risk Assessment.

- Asset:
An asset is any data, device or other component of an organisation’s systems that is
valuable – often because it contains sensitive data or can be used to access such
information.
For example, an employee’s desktop computer, laptop or company phone would be
considered an asset, as would applications on those devices. Likewise, critical
infrastructure, such as servers and support systems, are assets.
An organisation’s most common assets are information assets. These are things such as
databases and physical files – i.e. the sensitive data that you store.
A related concept is the ‘information asset container’, which is where that information is
kept. In the case of databases, this would be the application that was used to create the
database. For physical files, it would be the filing cabinet where the information resides.

- Threat:
A threat is any incident that could negatively affect an asset – for example, if it’s lost,
knocked offline or accessed by an unauthorised party.
Threats can be categorised as circumstances that compromise the confidentiality,
integrity or availability of an asset, and can either be intentional or accidental.
Intentional threats include things such as criminal hacking or a malicious insider stealing
information, whereas accidental threats generally involve employee error, a technical
malfunction or an event that causes physical damage, such as a fire or natural disaster.
Threats identification:
o Equipment malfunction
o Industrial espionage
o Interruption of business processes
o Loss of support services
o Maintenance errors
o Malicious code
o Phishing scams
o Sensitive data being compromised
o Social engineering
 o Terrorism threat in the immediate vicinity or affecting nearby transport and
logistics
o Theft of equipment
o Theft of sensitive data

- Vulnerability
A vulnerability is an organisational flaw that can be exploited by a threat to destroy,
damage or compromise an asset.
You are most likely to encounter a vulnerability in your software, due to their
complexity and the frequency with which they are updated. These weaknesses, known
as bugs, can be used by criminal hackers to access to sensitive information.
Vulnerabilities don’t only refer to technological flaws, though. They can be physical
weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of
your premises, or poorly written (or non-existent) processes that could lead to
employees exposing information.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to
phishing emails; structural flaws in the premises, such as a leaky pipe near a power
outlet; and communication errors, such as employees’ sending information to the wrong
person.

Task 2 - Explain data protection processes and

regulations as applicable to an organisation
(P6)
1. Define data protection.
Data protection is the process of protecting data and involves the relationship between the
collection and dissemination of data and technology, the public perception and expectation of
privacy and the political and legal underpinnings surrounding that data. It aims to strike a
balance between individual privacy rights while still allowing data to be used for business
purposes.
Data protection is also known as data privacy or information privacy.
Data protection should always be applied to all forms of data, whether it be personal or
corporate. It deals with both the integrity of the data, protection from corruption or errors, and
privacy of data, it being accessible to only those that have access privilege to it.
The context of data protection varies and the methods and extent also vary for each; there is
data protection on the personal level, that of business or public entities, and that of data so
highly classified that it should never fall into the hands of others aside from its owners — or in
other words, top secret.

2. Explain data protection process in an organization.

3. Why are data protection and security regulation important?