Tutorial 8

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 4

Tutorial 8

Question 1 - HONG JIAN CHEN


A process used to achieve and maintain appropriate levels of confidentiality, integrity,
availability, accountability, authenticity and reliability.

Question 2 - TAN GEE MUI


What assets do we need to protect?
How are those assets threatened?
What can we do to counter those threats?

Question 3 - LOW PEI SI


1. Plan establish security policy, objectives, processes and procedures; perform risk
assessment; develop risk treatment plan with appropriate selection of controls or
acceptance of risk.
2. Do implement the risk treatment plan.
3. Check monitor and maintain the risk treatment plan.
4. Act maintain and improve the information security risk management process in response
to incidents, review, or identified changes.

Question 4 - VIJAYALETCHME A/P HARI KRISHNAN

● Baseline approach: Aims to implement a basic general level of security controls using
baseline documents, codes of practices, and industry best practice. Advantage: does
not require the expenditure of additional resources in risk assessment. Disadvantage:
no special consideration is given to variations in the organization's risk exposure. The
baseline approach is only recommended for small organizations.
● Informal approach: Involves conducting some form of informal, pragmatic risk analysis,
and is based on the knowledge of internal experts or consultants who are performing the
analysis. This approach may cover more aspects than the baseline approach, but
because a formal process is not used, some risks may not be considered.
● Detailed risk analysis: A detailed risk assessment, using a formal structured process,
provides the greatest degree of assurance that all risks are identified. Significant costs
in time and resources.
● Combined approach: combines elements from the other approaches. Aim is to supply
sensible levels of security as rapidly as conceivable at that point to examine and alter
the security controls conveyed on key frameworks over time. Approach begins with the
execution of reasonable standard security recommendations on all frameworks.

Question 5 - TAN YEN TUNG


• Risk acceptance. Accept the risk as the normal business operation and do nothing.
• Risk avoidance. Take necessary action to avoid the risk that will occur.
• Risk transfer. Transfer the risk in order to share the responsibility to a third party to
handle and resolve it.
• Reduce consequence. Modify the structure or use of assets which will bring risk along
to reduce the impact on the organization when the risk occurs.
• Reduce likelihood. Implement the appropriate controls or corrective actions to lower
down the exploitation of the vulnerabilities.

Question 6 - TEOH GUAN SIONG


I.
Baseline Approach Detailed Risk Analysis

Goal is to implement agreed controls to Provides the most accurate evaluation of an


provide protection against the most common organization's IT system’s security risks.
threats.

Forms a good base for further security Requires the highest cost.
measures.

Uses “industry best practice”: Initially focused on addressing defense


- Easy, cheap, can be replicated. security concerns.
- Gives no special consideration to
variations in risk exposure.
- May give too much or too little
security.

Generally recommended for small Often mandated by government organizations


organizations without the resources to and associated businesses.
implement more structured approaches.
II. Reduce Likelihood
- Implement suitable controls to lower the chance of the vulnerability being exploited.

III.
• PLAN: Develop IT Security Plan.
• DO: Implementing IT Security Plan.
• CHECK: Maintaining and monitoring of implemented controls.
• ACT: Take corrective and preventive actions for continual improvement.

Question 7 - CHIA CHIN SEE


Combined approach combines elements of other approaches:
● Implementation of suitable initial baseline on all systems.
● Conduct an immediate informal analysis to identify critical risks.
● An ordered process of formal assessment of detailed analysis on these systems.

Highly recommended because:


● Results in the development of a strategic picture of the IT resources and where major
risks are likely to occur.
● Ensures that a basic level of security protection is implemented early.
● For most organizations this approach is the most cost effective.

Question 8 - LEE WEI PEOW


Reducing consequence is an act to prevent the side effects occurred due to or caused
by the happening of a risk. Whereas, reducing likelihood of risk is an act to prevent the
risk from happening. Reducing consequences are done by carrying out specific
measures or implementing certain failsafe measures in an attempt to prevent or reduce
damage or side effects when a specific risk happens, while reducing likelihood of risk are
done by attempting to prevent the risk from happening in the first place.
Taking a data center as an example, the administrator can set up backup servers to act
as a fallback node when the primary server fails, to reduce the consequence whereby
the system will be unavailable when the primary server fails.
On the other hand, the administrator can acquire UPS backups for the servers to act as
a fallback electrical supply to prevent system disruption and system down in the event of
power failure.

Reduce Consequence
• Examples include implementing an off-site backup process, developing a
disaster recovery plan, or arranging for data and processing to be replicated over
multiple sites.

Reduce Likelihood
• These could include technical or administrative controls such as deploying
firewalls and access tokens, or procedures such as password complexity and change
policies. Such controls aim to improve the security of the asset, making it harder for an
attack to succeed by reducing the vulnerability of the asset.

You might also like