2023 IT Examiner School

Performing Risk Analysis The process used to identify and understand risks in the context of Information Security (Confidentiality, Integrity, and Availability) • Requires: 1. Identifying assets 2. Identifying vulnerabilities & threats 3. Determining risks, 4. Risk Response 5. Monitor & Report • Evaluate cost of safeguards vs. cost of loss • Cost of loss is guide for security budget • If annualized cost of safeguards is greater than cost of loss, it is not worth it. Perhaps better to: • Accept the risk • Transfer risk (insurance)

5

Risk Treatment (Controls) Physical controls • “I am physically securing the asset…” • Doors, locks, keys, fences Administrative controls • “I am telling you…” • Policies • Security • Acceptable use • Staff screening and training Technical controls • “I am implementing technology to control…”

• Firewalls and intrusion detection/prevention systems • Authentication systems

6