moving on to module for
Module four pertains to close six.
An introduction to information security Risk management
we will cover basic information security risk terms,
and we'll go over a simple example of what risk is
information. Security risk basically comes down to the following.
If you've had experience with or exposure to information security, then I'm sure you will have some level of understanding off the information security risk management process.
But because this is the under pending element of the entire ice 0 27,001 standard
on the way the ice mess is meant to be run and continually improved.
We're going to spend some time going through the elements of information security risk management. In this course
information security. Risk management is a bit different from normal T risk management,
and then it goes into a lot more detail,
one actually presents a risk.
Why do we have information security at all in the first place?
we have information assets, some of which are extremely valuable to the organization that we want to protect.
There are a variety of threats to these assets and the risk management process helps us to understand these threats
and identify which ones are the most likely to be really danger to us.
A threat, of course, has no real danger. Unless there is some what other vulnerability prison that could be exploited
A vulnerability is simply a missing control or control that is not operating as intended.
This makes it easy for a threat to exploit and gain access to the asset.
Whether it is to steal asset, alter the asset or destroy the asset,
we will get into the impact and all of that in the coming sections.
But when we are assessing information security risks, especially for our ice mess,
it is important to keep in mind the C I. A triad of confidentiality,
integrity and availability.
Let's take a look at a simple example.
You want to protect your secret recipe for your company's best selling donuts.
That secret recipe is your information asset.
It's quite a valuable asset to your organization as your sales and profits are directly linked to this recipe.
You also have some goodwill on brand value attached to this asset,
so let's just say it's a very valuable asset.
we want to make sure that this asset is protected,
so we we need to identify what the possible risks around this as it could be
the next step. Once we know what we are protecting,
we looked at the threats to the acids.
We'll get into threats in more detail in the next sections.
But for now, let's say the biggest straight
is our top computer.
They really want to get our recipe for themselves and steal our customer base.
Once we know who or what is trying to get our asset,
we need to assess the ways in which this *** it could be obtained.
Is the recipe stored in hard copy?
Is it kept in a safe?
Is the safe Kip Lak,
who has access to the safe?
One of your trusted employees has access to the safe and has recently fallen into difficult times.
A risk here is that your competitors learns this information,
approaches the employees
and offers them a substantial amount of money to give them the recipe.
We now have a threat
as well as a vulnerability existing together,
so there is a risk that needs to be addressed.
We'll talk about addressing risks in more detail in the coming sections.
Let's go over these points again.
What are we protecting? Ultimately, we are protecting information assets.
These information assets can exist across a variety of other assets, including hardware, software, networks and even people.
What are we ultimately protecting these against
Threats could be people
natural in nature or environmental,
and we'll get into that in the coming sections.
What could allow straits to get access to the assets vulnerabilities?
When the threatened vulnerability exist together, a risk is present.
The risk, likelihood and impact needs to be determined,
and once that has been determined, the risk needs to be appropriately treated.
in this and 4.1 we covered
understanding what you are protecting is the fundamental component of information security risk management.
We also covered who you are protecting your acid from
being the next step in the information security risk management.
In other words, your threat identification
we covered understanding, vulnerabilities and threats together gives rise to risk scenarios
and that risks ultimately need to be treated