Chapter 5.

0
Information Assurance
Management
DFC20313 Cybersecurity Fundamentals
Prepared By: Fatimah Zahra

Part 1
 Upon completion of this course, students should be able
to:

CLO & PLO

CLO1
Explain cybersecurity threats and hazard using
appropriate tools and techniques for secured
environment in organizations.

CLO3 Practice professional codes of ethics to

adapt the real challenges in security
environment.

PLO2 Commit to principles of lifelong learning in

academic and career development.

PLO 11
Commit to professional and ethical
practices in executing instructions related
to the job and organizational functions.
Topic
5.1
5.1 Discover risk identification, risk

Content analysis and risk management

5.1.1 Identify the difference
information assurance and
information security
5.1.2 Identify risk identification
Management
a.Assets identification
b.Risk identification
c.Threat identification
d.Vulnerabilities
 RISK
IDENTIFICATION,
RISK ANALYSIS
AND RISK
MANAGEMENT
 Risk Identification
Risk identification is the process of identifying and documenting potential risks that could impact
the success of a project, program, or organization. This is the first step in the risk management
:process, which aims to anticipate, assess, and control potential threats.

Purpose: To recognize potential risks early so that proactive measures can be taken to
mitigate or avoid them.

Sources of Risks: Risks can come from various sources, including internal processes,
external events, human factors, technology, and natural disasters 1.

Techniques: Common techniques for identifying risks include brainstorming, root cause
analysis, SWOT analysis, expert judgment, documentation review, and interviewing
stakeholders.

Process: The process typically involves defining the project scope, identifying potential risks,
assessing the likelihood and impact of each risk, prioritizing risks, and developing mitigation
plans for the most critical risks.
By identifying risks early, organizations can better prepare and respond to potential
challenges, ensuring smoother project execution and achieving their objectives.
 Risk Analysis
Risk analysis is the process of identifying, assessing, and prioritizing potential risks that could
negatively impact a project, organization, or investment. It helps in making informed decisions by
:evaluating the likelihood and impact of adverse events.
Purpose: To understand the potential risks and their consequences, enabling better
decision-making and risk management strategies.

Types: There are various types of risk analysis, including quantitative (using mathematical
models and simulations) and qualitative (based on subjective judgment) approaches.

Methods: Common methods include risk-benefit analysis, cost-benefit analysis, needs

assessment, business impact analysis, failure mode and effects analysis (FMEA), and root
cause analysis.

Process: The process typically involves identifying potential risks, defining uncertainties,
analyzing the risks, and implementing solutions to mitigate or manage them.
By conducting a thorough risk analysis, organizations can better prepare for potential
challenges and minimize their impact.
 Risk Management
Risk management is the systematic process of identifying, assessing, and mitigating threats or
uncertainties that can affect an organization, project, or individual.

ACTIVITY OF RISK MANAGEMENT

Risk Identification: Recognizing potential risks that could impact objectives.

Risk Assessment: Evaluating the likelihood and impact of identified risks.
Risk Prioritization: Ranking risks based on their potential effect and likelihood.
Risk Mitigation: Developing strategies to minimize or eliminate the impact of risks.
Monitoring and Review: Continuously tracking risks and the effectiveness of
mitigation strategies.

Effective risk management helps organizations prepare for uncertainties, reduce

potential losses, and seize opportunities.

It is crucial in various fields, including finance, healthcare, project management, and

more
 Information Assurance
Information assurance (IA) can be called a practice of assuring and managing the risks
related to confidential information, throughout the process of transmission, processing,
and storing data.

IA is mostly focused on the protection of the integrity, availability, authenticity, non-

repudiation, and confidentiality of data in the system. It does not only encompass the
digital data protection but also included physical techniques.

IA is mainly focused is, ensuring the performance of the information system as needed
while keeping the security accessible to authorized users.

five key focused features in the construction of information assurance, which help
protect the system while allowing it to perform services efficiently. It consists of the
following characteristics: availability, integrity, authentication, confidentiality, and non-
repudiation.
 Information Security
Information security, is a practice of protecting information by
mitigating information risks.

Typically, it involves reducing the probability of unauthorized access

to data, or illegal use of it. Also, as the disruption, detection,
modification, inspection, or recording of confidential information. It
includes taking actions to prevent such incidents.

The main focus of information security is providing balanced

protection against cyber-attacks and hacking while maintaining
confidentiality, integrity, and availability of data.

For this purpose, It applies a variety of methods aimed at preventing

and defending against system attacks and unauthorized use, such as
network security, applications, and data. In the process, the possible
dangers are detected, examined, and evaluated to take the right kind
of action to prevent them.

Another important aspect of information security is to prevent cyber-

attacks by utilizing firewalls and other deterrents.
 Difference Between Information Assurance and
Information Security

Information Assurance Information Security

1. It is a practice of assuring and managing the risk and threats It is a practice of protecting information by mitigating
related to the company’s information. the risks related to information.

Information assurance is more concerned with the overall Information security helps prevent unauthorized access,
2. risks to be found in the company’s data. use, disclosure, disruption, modification, or destruction
of the data.

The five main pillars of information assurance are to ensure The main three motives of information security are to
3. the availability, integrity, authenticity, confidentiality, and provide integrity, confidentiality, and availability of data.
non-repudiation of the company’s data.

Information assurance often employs the application of Information security pays more attention to developing
4. organizational-wide standards to reduce the threats to data. tools, technologies, and other measures to secure the
data.
 Difference Between Information Assurance and
Information Security

Information Assurance Information Security

5. Information assurance is the main branch, that works with Information security is a sub-unit of information
information security to provide protection to data. assurance.

Information assurance includes the tasks like restoration of Information security can be achieved through security
6. information systems by incorporating protection, detection, solutions, encryption, and other technology, and
and reaction capabilities. processes.

The work of Information assurance is more focused on The work of Information security is to provide a safe
7. organizational risk management and the overall quality of method to reduce the risks like unwanted access,
the data. compromise, or stealing data,

Information assurance includes the methods like Security On the other hand, information security provides the
8. audits, network architecture, compliance audits, database functions like Vulnerability management, penetration
administration, implementation, and enforcement of testing, and technology solutions such as firewalls, anti-
organisational information management policies. virus, data loss prevention, and encryption.
Risk Management
a. Assets Identification
• Asset Identification is the process of identifying and classifying critical assets
within an organization. The primary purpose of asset identification and
classification is to protect the business from possible threats such as loss, theft,
compliance issues as well as asset underperformance and related consequences.
• Identifying valuable resources within an organization, such as data, hardware,
software, and personnel.
 b. Risk Identification
What are its Benefits?
Risk Identification: Is the process of determining potential •Identify potential threats to your
risks to your business. This can include anything from a business.
natural disaster that could damage your property to a •Assess your business’s
disgruntled employee who could sabotage your systems. vulnerabilities.
•Make better decisions.

Why is it Important?
•It helps you understand what could go wrong and
how you might be able to prevent it.
•It allows you to put together a plan for dealing
with any potential risks that might arise.
https://www.linkedin.com/pulse/understand-risk-management-process-abd-
•It helps you make better decisions when it comes
essamad-baaziz-4lzbe/
to your business.
c. Threat Identification
Threat Identification: Recognizing potential sources of
harm or adverse effects to the assets, such as cyber-
attacks, natural disasters, or human error.
The process of determining potential risks to a system by
using checklists, traceability links, and various strategies
such as injury, entry point, threat, and vulnerability Threat Identification Process
arguments.

GIVE THE EXAMPLES OF THREAT

 Vulnerability: Identifying weaknesses in the system that
c. Vulnerability could be exploited by threats to cause harm or loss.

https://aptien.com/en/kb/articles/what-is-vulnerability
 •vulnerability increases the likelihood of risk
c. Vulnerability •vulnerability exposes assets to a higher risk of
failure or
•is exploitable by an attacker who facilitates
unauthorized access or attack.

Examples of the most common vulnerabilities

•error or defect in technology
•a bug in the software enabling a
cyber attack
•insufficiently trained worker
•insufficient protection of the worker's body
(protection of the head, hands, body, etc.)
•insufficient maintenance of equipment and
machinery
•wrong or poorly designed business process
•missing or weak data encryption
•lack of security cameras
•missing locks at doors to the office
•unrestricted upload of dangerous files
•missing, insufficient or weak passwords
•missing Website SSL