SECURITY

Learning Outcomes

LO1: Assess risks to IT security.

LO2 :Describe IT security solutions.

LO3 :Review mechanisms to control organisational IT security.

LO4 :Manage organisational security.

LO1: Assess risks to IT security
 Introduction

• Security is one of the most important challenges modern organisations face.

• Security is about protecting organisational assets, including personnel, data, equipment
and networks from attack through the use of prevention techniques in the form of
vulnerability testing/security policies and detection techniques, exposing breaches in
security and implementing effective responses.
• The aim of this unit is to provide students with knowledge of security, associated risks
and how security breaches impact on business continuity.
• Students will examine security measures involving access authorisation, regulation of
use, implementing contingency plans and devising security policies and procedures.
 Assessing risks to IT security IT security risks

• “The wonderful thing about the Internet is that you’re connected to everyone
else… The terrible thing about the Internet is that your connected to
everyone else…”
• Dr. Vinton Cerf - co-designer of the TCP/IP protocols and the architecture of the Internet.

• Access to the information and services the Internet provides, comes risk.
• Risk of information loss, or corruption, of data theft and worse. These risks
have to be mitigated with security solutions.
 IT Threats
• A threat is an event that could exploit a vulnerability (an attack waiting to happen) and cause a
negative impact on the network.

• Threats in the digital world typically mimic threats in the physical world.
• Theft, vandalism, eavesdropping are all threats that have moved from the real world into
cyberspace, typically via the Internet.
• There are some significant differences however, in terms of the distance these attacks can be
carried out, the automation involved, and the propagation(Spreading) of attack techniques.
 IT security risks
• Risks:
• unauthorised use of a system
• unauthorised removal or copying of data or code from a system
• damage to or destruction of physical system assets and environment
• damage to or destruction of data or code inside or outside the system
• naturally occurring risks.
 Unauthorised use of a system

• Software should be used only by those authorised to do so.

• Someone – a hacker – may access confidential data.
• The hacker may read the data or copy it, but do no damage to it.
• However, simply reading data can also cause damage to an organisation, even if that
data is not deleted or altered.
• Obtaining personal details of an individual can lead to identity theft.
• If you become the victim of identity theft, you might have difficulty obtaining credit
for a credit card, loan or mortgage until the confusion is resolved.
Damage to or destruction of physical system assets and environment

• Someone may damage the hardware in the ICT system. A hard disk holds a lot of data.
• If the disk was sabotaged, the data would become inaccessible. The hardware in an ICT system can
be worth many hundreds of thousands of pounds.
• If any of it is damaged or stolen then it will take time to replace it.
• The cost of replacement is usually covered by insurance, so the main problem is the time delay in
installing replacement equipment.
• This delay can result in lost business and, as a consequence, the organisation may lose money.
Consequential loss may not be covered by insurance, so this is a ‘real’ loss. Damage to data or code
Data or software should only be altered or deleted by someone who is authorised to do so. A
hacker may damage – i.e. amend or delete – the data or software.
 Damage to or destruction of data or code inside or outside the
system

• Data or software should only be altered or deleted by someone who is authorised to do so.
• A hacker may damage – i.e. amend or delete – the data or software.
• Data and software may also be damaged by virus attack.
 Naturally occurring risks

• Human actions
• E.g. Human error, employee that disregards policy.
• Systems issues
• E.g. Out of date or incorrectly configured/installed anti virus and firewall, confusion
over backup policy could result in accidental overwrite, poor group policy
configuration, incorrect user access levels.
 Organisational security
• Business continuance(Maintain essential functions during/after an attack)
• Backup/restoration of data
• Audits
• Testing procedures e.g. data, network, systems, operational impact of
security breaches, WANs, intranets, wireless access systems.
 Training should be given so that employees know
what to do, for example, if they suspect a virus
Organisational security:
attack:
Business continuance • Who should they contact first?
• Should they turn their ICT system off?

Employees also need to know what to do if they

think their login ID is being used by someone else:
• While a security audit will identify weaknesses
• Whothatshould
ought theytoinform
be addressed,
of their fear?
and an organisation should make every effort• toWhat
remedy
methods any
mightshortfall,
be used to trap the culprit?
there will always be a risk of a security breach.
What procedures should be followed to prevent
• For this reason, an analysis of risks should besimilar
carried
lapsesout and a in future.
in security
contingency plan drawn up.
• This contingency plan should cover backup, offsite storage, data recovery
procedures, access to immediate hardware replacement, plus insurance
that covers replacement, loss of business and all the recovery work.
 Organisational security:
Backup/restoration of data

• Employees who are responsible for data recovery should also know the
procedures to follow.
• The aim should be to plan ahead so that the whole system can be up and running
again within a specified time-scale, e.g. 24 hours.
• Then, if the worst case scenario happens, disaster recovery should be as smooth
as possible. The contingency plan has to be developed from a full risk analysis,
so that every eventuality is taken into consideration.
 Audits could include:
– Review and management
■ eg access to systems.
Organisational security:
– Establishment and review of
Audits personal, corporate and
technical trust.
• An organisation that is unaware of how and– where
Vetting of staff.
security breaches might
– Forensic
occur could soon be faced with a situation that analysis
will be costly, andofcould
systems
be
very embarrassing. ■ Use of custom forensics or existing
sysadmin tools.
• Instead, a security audit should be conducted to check what might go
wrong, and to plan improvements before a hacker – or some other
individual – takes advantage of the situation.
 Organisational security:
Testing procedures
• Network security: This involves looking for vulnerabilities in the network
infrastructure (resources and policies).
• System software security: Asses weaknesses in software (operating system,
database system, and other software) that are depended on.
• Client-side application security: Ensure that the client (browser or any such
app/tool) cannot be manipulated.
• Server-side application security: Server code and its technologies are
robust enough to fend off any intrusion.
 Organisational security:
Testing procedures - operational impact
• Costs
• If data is lost, costs are incurred in recovering the data.
• If software is corrupted, a copy should be available, but the replacement will take time and incur staff costs.
• Depending on how serious a breach was experienced, there may be a need to consult specialists, and this too will incur extra costs
• Loss of business
• A security breach can result in the collapse of an ICT system.
• The time during which normal service is not available is called downtime.
• Organisations that rely on an ICT system to take orders will suffer a loss of business during the downtime. Some customers will
come back later, but some will not; they will already have taken their business elsewhere.
• If a security breach causes data loss, and it proves difficult to recover that data, then the result can be disastrous for an
organisation.
Confidentiality
Security Key Concepts

• Information exchanged between the client and service provider cannot be read by an unauthorized party. This
often means that only authorized users and processes should be able to access or modify data.
• Encryption is the fundamental technology for ensuring confidentiality Messages in transit.
• Confidentiality vs. Privacy
Confidentiality: Obligation of provider to restrict access.
Privacy: individual right to control access.
• Confidentiality: When you log in, you’re asked for a password. If it’s been a while since your last log-in, you
may be asked to input a code that’s been sent to you or some other form of two-factor authentication.
Integrity

• In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its
entire lifecycle. (Boritz, 2005) 
• Integrity measures protect information from unauthorized alteration. These measures provide assurance in the
accuracy and completeness of data. The need to protect information includes both data that is stored on systems and
data that is transmitted between systems such as email. In maintaining integrity, it is not only necessary to control
access at the system level, but to further ensure that system users are only able to alter information that they are
legitimately authorized to alter.
• This means that data cannot be modified in an unauthorized or undetected manner.
• Sometimes it’s as simple as a read-only file. Sometimes, it involves hashing or data checksums, which allow data to
be audited to ensure the data hasn’t been compromised. In other cases, integrity might be protected physically from
outside sources that might corrupt it.
Availability

• For any information system to serve its purpose, the information must be available when it is
needed.
• High availability systems aim to remain available at all times, preventing service disruptions due to
power outages, hardware failures, and system upgrades.
• Ensuring availability also involves preventing denial-of-service attacks, such as a flood of
incoming messages to the target system, essentially forcing it to shut down(Loukas, n.d.).
• Availability: You can log into your account whenever you want, and you may even be able to
contact customer support at any time of the day or night
Non-repudiation

• In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies

that one party of a transaction cannot deny having received a transaction, nor can the other party deny
having sent a transaction (Hossein Bidgoli, n.d.).
• Assurance that the sender of information is provided with proof of delivery and the recipient is provided
with proof of the sender’s identity, so neither can later deny having processed the information.
• Digital signatures (combined with other measures) can offer non-repudiation when it comes to online
transactions, where it is crucial to ensure that a party to a contract or a communication can't deny the
authenticity of their signature on a document or sending the communication in the first place. In this
context, non-repudiation refers to the ability to ensure that a party to a contract or a communication must
accept the authenticity of their signature on a document or the sending of a message.
Privacy

• Privacy is when an individual’s personal information, habits, and other sensitive

data are protected from public disclosure.
• For information security, it means a company’s confidential material cannot be
taken or accessed by the public or another company.
• Privacy, like security, is crucial because it prevents data leaks. However, whereas
security is concerned with information leaks caused by malware infections and
data breaches, privacy is concerned with personal data rights in terms of how
information is acquired, utilized, and maintained, as well as who has access to it.
Authentication

• authentication is the process of verifying the identity of a person or device.

• A common example is entering a username and password when you log in to a website.
• Entering the correct login information lets the website know 1) who you are and 2) that it is actually you accessing the website.
• While a username/password combination is a common way to authenticate your identity, many other types of authentication exist.
For example, you might use a four or six-digit passcode to unlock your phone. A single password may be required to log on to
your laptop or work computer. Every time you check or send email, the mail server verifies your identity by matching your email
address with the correct password. This information is often saved by your web browser or email program so you do not have to
enter it each time.

• Biometrics may also be used for authentication. For example, many smartphones have a fingerprint sensor that allows you to
unlock your phone with a simple tap of your thumb or finger. Some facilities have retinal scanners, which require an eye scan to
allow authorized individuals to access secure areas. Apple's Face ID (introduced with the iPhone X) authenticates users by facial
recognition.
 Authorization
• Once a user has been authenticated, the authorization process determines what permissions they have. Permissions are what the employee
of organization is able to do and access in the organization, and without them every employee would have the same abilities and access to
the same information.
• There are many techniques to implement authorization; the frequently used methods are
• Principle of least privilege (POLP)
• The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to
perform its function. For example, a user account created for pulling records from a database doesn’t need admin rights, while a
programmer whose main function is updating lines of legacy code doesn’t need access to financial records. The principle of least privilege
can also be referred to as the principle of minimal privilege (POMP) or the principle of least authority (POLA). Following the principle of
least privilege is considered a best practice in information security.
• User Account with Least Privilege: With the principle of least privilege, an employee whose job is to enter info into a database only needs
the ability to add records to that database. If malware infects that employee’s computer or if the employee clicks a link in a phishing email,
the malicious attack is limited to making database entries. If that employee has root access privileges, however, the infection can spread
system-wide.
• Access control lists(ACL)
Accountability

• Accountability means making sure every action can be tracked back to a single person, not just a group
• Every information asset should be "owned" by an individual in the organization who is primarily responsible
each one.
• improve accountability by - Defining policy which describes specific responsibility, awareness programs
• Individuals must be aware of what is expected of them and guide continual improvement.
Passive Attack
Active Attack
 Information Security Principles (Merkow and
Principle 1: There Is No Such Thing As Absolute Security
Breithaupt, 2014)
• In 2003, the art collection of the Whitworth Gallery in Manchester, England,
included three famous paintings by Van Gogh, Picasso, and Gauguin. Valued at
more than $7 million, the paintings were protected by closed-circuit television
(CCTV), a series of alarm systems, and 24-hour rolling patrols.
• Yet in late April 2003, thieves broke into the museum, evaded the layered security
system, and made off with the three masterpieces. Several days later, investigators
discovered the paintings in a nearby public restroom along with a note from the
thieves saying, “The intention was not to steal, only to highlight the woeful
security.”
 Principle 1: There Is No Such Thing As Absolute Security

• The burglars’ lesson translates to the information security arena and illustrates
the first principle of information security (IS):
• “Given enough time, tools, skills, and inclination, a malicious person can
break through any security measure.”
• As with software, no safe is burglar proof; security measures simply buy
time. Of course, buying time is a powerful tool.
• Resisting attacks long enough provides the opportunity to catch the attacker
in the act and to quickly recover from the incident
 Principle 1: There Is No Such Thing As Absolute Security

• This principle applies to the physical world as well and is best illustrated
with an analogy of safes or vaults that businesses commonly use to protect
their assets.
• Safes are rated according to their resistance to attacks using a scale that
describes how long it could take a burglar to open them.
 Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

• All information security measures try to address at least one of three goals:
• Protect the confidentiality of data
• Preserve the integrity of data
• Promote the availability of data for authorized use
• The principle of information security protection of confidentiality,
integrity, and availability cannot be overemphasized: This is central to all
studies and practices in IS.
 Principle 2: The Three Security Goals Are Confidentiality, Integrity, and Availability

• These goals form the confidentiality, integrity, availability (CIA) triad, the
basis of all security programs Information security professionals who
create policies and procedures (often referred to as governance models)
must consider each goal when creating a plan to protect a computer
system
Confidentiality

• ISO/IEC 27000:2012 defines confidentiality as “Information is not made

available or disclosed to unauthorized individuals and entities or
processes.”
• Confidentiality is sometimes referred to as the principle of least privilege,
meaning that users should be given only enough privilege to perform their
duties, and no more. Some other synonyms for confidentiality you might
encounter include privacy, secrecy, and discretion.
Confidentiality

• Measures undertaken to ensure confidentiality are designed to prevent

sensitive information from reaching the wrong people, while making sure
that the right people can in fact get it: Access must be restricted to those
authorized to view the data in question. It is common, as well, for data to
be categorized according to the amount and type of damage that could be
done should it fall into unintended hands.
• Common security mechanisms such as usernames, passwords, access
control lists (ACLs), and encryption.
Integrity

• ISO/IEC 27000: 2012 defines integrity as “the property of accuracy and completeness of
assets .
• Integrity models keep data pure and trustworthy by protecting system data from changes,
whether they are intentional, unauthorized, or accidental. Integrity models have three goals:
• Prevent unauthorized users from making modifications to data or programs
• Prevent authorized users from making improper or unauthorized modifications
• Maintain internal and external consistency of data and programs
• An example of integrity checks is balancing a batch of transactions to make sure that all the
information is present and accurately accounted for.
 Integrity

THE RECEIVER OF THE THE INFORMATION CAN BE INTEGRITY IS IMPLEMENTED CHANGES IN DATA MIGHT ALSO
INFORMATION MUST HAVE EDITED BY AUTHORIZED USING SECURITY MECHANISM OCCUR AS A RESULT OF NON-
THE INFORMATION THE PERSONS ONLY AND REMAINS SUCH AS DATA ENCRYPTION HUMAN-CAUSED EVENTS SUCH AS
CREATOR INTENDED HIM TO IN ITS ORIGINAL STATE WHEN AND HASHING, VERSION AN ELECTROMAGNETIC PULSE
HAVE. AT REST. CONTROL  (EMP) OR SERVER CRASH,
Availability

• ISO/IEC 27000:2012 defines Availability as “the property of being accessible and usable
upon demand by an authorized entity.
• Availability models keep data and resources available for authorized use, especially during
emergencies or disasters. In essence, availability means making sure systems keep running
and information stays accessible.
• Information security professionals usually address three common challenges to availability:
• Denial of service (DoS)
• Loss of information system capabilities because of natural disasters
• Equipment failures during normal use
 • Availability is implemented using methods such as
• Hardware maintenance, software patching and network
optimization. Processes such as redundancy, failover, RAID
and high-availability clusters are used to mitigate serious
consequences when hardware issues do occur.
Availability • Dedicated hardware devices can be used to guard against
downtime and unreachable data due to malicious actions such
as distributed denial-of-service (DDoS) attacks, such as a
flood of incoming messages to the target system, essentially
forcing it to shut down
• Availability for Executive Managers
Non-Repudiation

• ISO/IEC 27000:2012 defines non-repudiation as the “ability to prove the

occurrence of a claimed event or action and its originating entities .
• In law, non-repudiation implies one's intention to fulfill their obligations to a
contract. It also implies that one party of a transaction cannot deny having
received a transaction, nor can the other party deny having sent a transaction.
• Common methods to provide non-repudiation in the context of digital
communications or storage are Message Authentication Codes (MAC),
and Digital Signatures.
Non-Repudiation

• While technology such as cryptographic systems can assist in non-

repudiation efforts, the concept is at its core a legal concept transcending
the realm of technology.
• The alleged sender could in return demonstrate that the digital signature
algorithm is vulnerable or flawed, or allege or prove that his signing key
has been compromised. As such, the sender may repudiate the message
(because authenticity and integrity are pre-requisites for non-repudiation).
 Principle 3: Defense in Depth as Strategy

• In the information security world, defense in depth requires layering

security devices in a series that protects, detects, and responds to attacks
on systems.
Respond
• This security is implemented in overlapping layers that provideProtect
the three
Detect
elements needed to secure assets: prevention, detection, and response.
• Defense in depth also seeks to offset the weaknesses of one security layer
by the strengths of two or more layers.
 Principle 3: Defense in Depth as Strategy

Examples of Layered security -1

• A bank would never leave its assets inside an unguarded safe alone. Typically, access to the safe requires passing
through layers of protection that might include

• human guards and locked doors with special access controls.

• Furthermore, the room where the safe resides could be monitored by closed circuit
television, motion sensors, and alarm systems that can quickly detect unusual activity.

• The sound of an alarm might trigger the doors to automatically lock, the police to be
notified, or the room to fill with tear gas.
 Principle 3: Defense in Depth as Strategy

• Examples of Layered security - 2

• a typical Internet-attached network designed with security in mind includes
routers, firewalls, and intrusion detection systems (IDS) to protect the
network from would-be intruders;
• employs traffic analyzers and real-time human monitors who watch for
anomalies as the network is being used to detect any breach in the layers of
protection; and relies on automated mechanisms to turn off access or remove
the system from the network in response to the detection of an intruder.
 Principle 4: When left on their own, People tend to make the worst Security Decisions

• The primary reason identity theft, viruses, worms, and stolen passwords
are so common is that people are easily duped into giving up the secrets
technologies use to secure systems.
• Generally the weakest Link in the Information security chain is People
• One of the best method – Creating awareness
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance

• Functional requirements describe what a system should do.

• Assurance requirements describe how functional requirements should be
implemented and tested.
• Both sets of requirements are needed to answer the following questions:
• Does the system do the right things (behave as promised)?
• Does the system do the right things in the right way?
• These are the same questions that others in non computer industries face with
verification and validation.
Principle 5: Computer Security Depends on Two Types of Requirements: Functional and Assurance

• Example
• Consider car safety testing as an example. Verification testing for seat belt
functions might include conducting stress tests on the fabric, testing the
locking mechanisms, and making certain the belt will fit the intended
application, thus completing the functional tests.
• Validation, or assurance testing, might then include crashing the car with
crash-test dummies inside to “prove” that the seat belt is indeed safe when
used under normal conditions and that it can survive under harsh
conditions.
 Principle 6: Security Through Obscurity Is Not an Answer

• Security through obscurity means that hiding the details of the security mechanisms is sufficient to
secure the system alone.
• An example of security through obscurity might involve closely guarding the written specifications for
security functions and preventing all but the most trusted people from seeing it. Obscuring security
leads to a false sense of security, which is often more dangerous than not addressing security at all.
• If the security of a system is maintained by keeping the implementation of the system a secret, the
entire system collapses when the first person discovers how the security mechanism works—and
someone is always determined to discover these secrets.
• The better bet is to make sure no one mechanism is responsible for the security of the entire system.
Again, this is defense in depth in everything related to protecting data and resources.
 Principle 7: Security = Risk Management

• All security work is a careful balance between the level of risk and the expected
reward of expending a given amount of resources.
• The measures taken in an organization to reduce risk to an acceptable level can, at
times, become excessively expensive.
• A careful balance must be struck between the cost or business impact of a risk if it
occurs and the cost of the measures taken to reduce its likelihood or impact.
• Security is concerned not with eliminating all threats within a system or facility, but
with eliminating known threats and minimizing losses if an attacker succeeds in
exploiting a vulnerability.
 Principle 7: Security = Risk Management

• Risk analysis and risk management are central themes to securing information systems. When risks are well understood,
four outcomes are possible:
• The risks are mitigated (countered).
• The level of risk is reduced through additional measure
• Insurance is acquired against the losses that would occur if a system were compromised.
• The risks are accepted and the consequences are managed
• After determining a risk rating, one of the following actions could be required:
• Extreme risk: Immediate action is required.
• High risk: Senior management’s attention is needed.
• Moderate risk: Management responsibility must be specified.
• Low risk: Management is handled by routine procedures.
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive

• The principle of defense in depth dictates that a security mechanism serve

a purpose by
• preventing a compromise,
• detecting that a compromise or compromise attempt is underway, or
• responding to a compromise while it’s happening or after it has been
discovered
Principle 8: The Three Types of Security Controls Are Preventative, Detective, and Responsive

• Referring to the example of the bank vault in Principle 3,

• access to a bank’s safe or vault requires passing through layers of protection
that might include human guards and locked doors with special access
controls (prevention).
• In the room where the safe resides, closed-circuit televisions, motion sensors,
and alarm systems quickly detect any unusual activity (detection).
• The sound of an alarm could trigger the doors to automatically lock, the
police to be notified, or the room to fill with tear gas (response).
 Principle 9: Complexity Is the Enemy of Security

• The more complex a system gets, the harder it is to secure.

• With too many “moving parts” or interfaces between programs and other systems, the system
or interfaces become difficult to secure while still permitting them to operate as intended.
• According to recent findings from the Ponemon Institute, a considerable 83 percent of
respondents believe their organization is at risk because the intricacy of business and IT
operations. (The Need for a New IT Security Architecture: Global Study on Compliance
Challenges & Security Effectiveness in the Workplace Sponsored by Citrix, 2017)
• To address these challenges, businesses need to be able to streamline the management of
security policies.
 Principle 10: Fear, Uncertainty, and Doubt Do Not Work in Selling Security

• At one time, “scaring” management into spending resources on security to

avoid the unthinkable was effective.
• The tactic of fear, uncertainty, and doubt (FUD) no longer works:
Information security and IT management is too mature. Now IS managers
must justify all investments in security using techniques of the trade.
• Although this makes the job of information security practitioners more
difficult, it also makes them more valuable because of management’s need
to understand what is being protected and why.
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

People, process, and technology controls are essential elements of several

areas of practice in information technology (IT) security, including
operations security, applications development security, physical security, and
cryptography. These three pillars of security are often depicted as a three-
legged stool.
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

• As described in Principle 3, “Defense in Depth as Strategy,” the

information security practitioner needs a series of countermeasures and
controls to implement an effective security system.
• One such control might be dual control, a practice borrowed from the
military.
• The U.S. Department of Defense uses a dual control protocol to secure the
nation’s nuclear arsenal. This means that at least two on-site people must
agree to launch a nuclear weapon.
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

• But with dual control, one person acts as a countermeasure to the other:
Chances are less likely that both people will make an error in judgment or
act maliciously. Likewise, no one person in an organization should have
the ability to control or close down a security activity.
• This is commonly referred to as separation of duties.
• Process controls
Principle 11: People, Process, and Technology Are All Needed to Adequately Secure a System or Facility

• Technology can fail, and without people to notice and fix technical
problems, computer systems would stall permanently. An example of this
type of waste is installing an expensive firewall system and then turning
around and opening all the ports that are intended to block certain traffic
from entering the network.
 Principle 12: Open Disclosure of Vulnerabilities Is Good for Security!

• A raging and often heated debate within the security community and
software developing centers concerns whether to let users know about a
problem before a fix or patch can be developed and distributed.
• Principle 6 tells us that security through obscurity is not an answer
• Users have a right to know about defects in the products they purchase
• The need to know trumps the need to keep secrets, to give users the right
to protect themselves.
Proposing a method to assess and treat IT security risks. (M1)

1. Establish a risk management framework

• Outline how you would identify risks, who’s responsible, the impact to the
business and how likely it is to occur. Baseline criteria, Scale of risk,
Acceptable risk(Risk appetite)
Research:

2. Identify risks
• Create a list of business assets such as files, media, portable devices as well ISO 27001 risk
as content such as Intellectual Property.
3. Analyse risks
assessments
• Identify threats and vulnerabilities to each asset (ISO = International
4. Evaluate risks Organization for
• Order security risks from high to low Standardization)
5. Select risk treatment options
• Define exactly who is going to implement each control, in which timeframe,
with which budget, etc.