Tutorial 8
Tutorial 8
Tutorial 8
● Baseline approach: Aims to implement a basic general level of security controls using
baseline documents, codes of practices, and industry best practice. Advantage: does
not require the expenditure of additional resources in risk assessment. Disadvantage:
no special consideration is given to variations in the organization's risk exposure. The
baseline approach is only recommended for small organizations.
● Informal approach: Involves conducting some form of informal, pragmatic risk analysis,
and is based on the knowledge of internal experts or consultants who are performing the
analysis. This approach may cover more aspects than the baseline approach, but
because a formal process is not used, some risks may not be considered.
● Detailed risk analysis: A detailed risk assessment, using a formal structured process,
provides the greatest degree of assurance that all risks are identified. Significant costs
in time and resources.
● Combined approach: combines elements from the other approaches. Aim is to supply
sensible levels of security as rapidly as conceivable at that point to examine and alter
the security controls conveyed on key frameworks over time. Approach begins with the
execution of reasonable standard security recommendations on all frameworks.
Forms a good base for further security Requires the highest cost.
measures.
III.
• PLAN: Develop IT Security Plan.
• DO: Implementing IT Security Plan.
• CHECK: Maintaining and monitoring of implemented controls.
• ACT: Take corrective and preventive actions for continual improvement.
Reduce Consequence
• Examples include implementing an off-site backup process, developing a
disaster recovery plan, or arranging for data and processing to be replicated over
multiple sites.
Reduce Likelihood
• These could include technical or administrative controls such as deploying
firewalls and access tokens, or procedures such as password complexity and change
policies. Such controls aim to improve the security of the asset, making it harder for an
attack to succeed by reducing the vulnerability of the asset.