Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by sachixtha

Risk Assessment Procedures

advertisement 
RISK ASSESSMENT PROCEDURES
TOPIC I
Stark Industry
WHAT IS RISK ASSESSMENT?
A risk assessment is defined as a systematic process of detecting hazards and
analyzing any related risks in the workplace.
Following that implementing feasible control measures to eliminate or
decrease those hazards.
There are multiple types of risk assessment methods and the one we choose
should be relevant to operational activities of Stark Industry
RISK ASSESSMENT PROCEDURE
1. Identifying potential hazards
2. Identifying who might be harmed by those
hazards
3. Evaluating risk (severity and likelihood) and
establishing suitable precautions
4. Implementing controls and recording your
findings
5. Reviewing your assessment and re-assessing if
necessary.
1. IDENTIFYING POTENTIAL HAZARDS
While hackers and malware probably leap to mind threats come in a variety of forms.
Among them are,
1. Physical Threats
2. Technical Threats
3. Natural Threats
Furthermore Stark Industry have a duty to assess the health and safety risks faced by its
employees. Organization must systematically check for possible,
1. Physical Hazards
2. Mental Hazards
3. Chemical Hazards
faced by the employees.
2. IDENTIFYING WHO/WHAT MIGHT BE AFFECTED
This phase entails determining who might be harmed as a result of the potential hazards. It's
also important to consider how they might be affected, whether by direct or indirect
interaction.
1.
Employees
2.
Contractors
3.
Customers
And also a comprehensive list of all important assets such as,
1.
Software
2.
Hardware
3.
Network
3. EVALUATE RISK SEVERITY AND LIKELIHOOD
Examine the likelihood of a vulnerability being exploited, taking into account the
type of vulnerability, the threat source's capability and motive, and the presence and
efficacy of your controls.
Analyze the impact that an incident would have on the asset that is lost or damaged,
including the following factors:
1. The mission of the asset and any processes that depend upon it
2. The value of the asset to the organization
3. The sensitivity of the asset
4. IMPLEMENTING CONTROLS…
Using the risk level as a basis, determine the actions needed to mitigate the risk. Here
are some general guidelines for each level of risk:
1. High — A plan for corrective measures should be developed as soon as possible.
2. Medium — A plan for corrective measures should be developed within a
reasonable period of time.
3. Low — The team must decide whether to accept the risk or implement corrective
actions.
4. …RECORDING OF YOUR FINDINGS
During the same phase it is important to provide
a risk assessment report to assist management
in making suitable budget, policy, and process
decisions, and so on.
The report should detail the corresponding
vulnerabilities, assets at risk, impact on your IT
infrastructure, probability of occurrence, and
control recommendations for each threat.
5. REVIEWING YOUR ASSESSMENT
A risk assessment must be reviewed on a regular basis in order to:
1. Ensure that agreed-upon safe working practices are followed (e.g., that
supervisors and line managers follow management's safety instructions);
2. And take into account any new working practices, new machinery, or more
demanding work targets.
SECURITY POLICY
Stark Industry
CREATING A STRONG PASSWORD
POLICY
WHAT IS A STRONG PASSWORD POLICY?
A password policy is a collection of rules designed to improve computer security by encouraging
users to develop strong, secure passwords and then properly store and use them.
1.
Use Complicated Passwords: Enforcing password complexity criteria is an useful first step in
preventing brute force attacks. All users can be required to use a combination of characters,
numbers, and upper- and lower-case letters.
2.
Set a Minimum Password Length: You can improve the security of your company's passwords
by establishing a minimum character length. A minimum of eight characters is an usual norm. The
use of a minimum character length of 14 characters is becoming more common.
3.
Minimum Password Reset Durations: Minimum password reset periods are common for
increased security. This can also be changed for the organization's more vital functions.
ADDITIONAL CONSIDERATIONS ~ STRONG PASSWORD POLICY
1.
Everyone on your staff should be trained on how to create and keep strong passwords.
This training should be required not only for new hires, but also for current personnel.
2.
In some cases, investing in a password manager is a good idea. They can keep track of
each user's passwords across all of their websites and enable secure automated logins.
3.
Furthermore, two-factor authentication (2FA) can be used in conjunction with a strong
password policy.
PHYSICAL SECURITY POLICY
WHAT IS PHYSICAL SECURITY POLICY?
Internally and externally, organizations are linked. Your gates, doors, and buildings are assets
that you use in your daily operations. When you have a physical security policy in place, you
provide a sense of protection and safety in the workplace.
The following policies have been defined to ensure physical security:
1.
Physical access to server rooms/areas must be strictly controlled, and servers must be kept
in server racks under lock and key.
2.
Critical backup media must be stored in a vault in a fireproof off-site location.
3.
To prevent unauthorized physical access, damage, and interference, security perimeters,
CCTV cameras must be placed to protect areas containing information systems.
4.
Visitors' access records must be kept on file.
BACKUP POLICY
A backup policy is a set of rules that ensures data
recovery in the event of an unintentional data deletion or
corruption.
WHAT TO INCLUDE IN YOUR BACKUP POLICY
1. Back up all data during off-peak hours.
2. Off-site Backups
3. Ensure that all backups are encrypted
4. Allow only a small number of employees to access backups.
5. Ensure that your vendor is reputable, properly vetted, and provides 24 hour
support.
NETWORK SECURITY POLICY
WHAT IS A NETWORK SECURITY POLICY
A network security policy is a set of standardized practices and procedures that outlines rules
network access, the architecture of the network, and security environments, as well as
determines how policies are enforced.
What to include in this policy
1.
Internet Access
5.
Wireless LAN Policy
2.
VPN Policy
6.
DMZ Policy
3.
Firewall Policy
7.
Port Communication Policy
4.
Device Security
8.
Remote Access Policy
INFORMATION SECURITY POLICY
An information security policy (ISP) is
a set of guidelines for people who
work with IT assets.
WHAT IS A INFORMATION SECURITY POLICY
a.
An information security policy (ISP) is a set of
guidelines for people who work with IT assets. To
ensure that your employees and other users follow
security protocols and procedures, your company can
develop an information security policy.
b.
Developing an effective security policy and ensuring
compliance is a critical step in preventing and
mitigating security breaches. To be truly effective, your
security policy should be updated in response to
changes in your company, new threats, conclusions
drawn from previous breaches, and other changes to
your security posture.
CRITICAL FACTORS TO CONSIDER WHILE CREATING AN
INFORMATION SECURITY POLICY.
1. State the policy's goal in the first paragraph.
2. Define the target audience for the information security
policy.
3. Assist your management team in defining well-defined
strategy and security objectives.
4. Unique logins that require authentication are mandated by
authority and access control policies.
5. The policy should categorize data into groups. Ex:
Confidential, Top Secret, Public
6. Data support and operations
7. Inform your employees about IT security policies.
CONCLUSION..
All the mentioned individual policies should be included in a one single document with
following defined clearly,
1. Policy Objectives
2. Scope of the Policy
3. Policy Maintenance
4. Policy Enforcement
5. User Responsibilities
DISASTER RECOVERY PLAN
TOPIC II
Stark Industry
WHAT IS A DISASTER RECOVERY PLAN
a.
A disaster recovery plan (DRP) is a documented policy that helps an organization execute
recovery processes in the event of a disaster.
b.
A disaster recovery plan's goal is to thoroughly explain the steps that must be taken
before, during, and after a natural or man-made.
What should disaster recovery plan include?
1.
2.
3.
4.
5.
6.
7.
Personnel
Goals
IT inventory
Backup procedures
Disaster recovery procedures
Disaster recovery sites
Restoration procedures
JUSTIFICATION OF DRP GOALS
1.
The recovery time target (RTO) and the recovery point objective (RPO) will be outlined in a statement of
aims (RPO). The recovery point target specifies how much data (in terms of recent modifications) the
business is willing to lose in the event of a disaster.
2.
Every disaster recovery plan must specify who is in charge of putting the plan into action.
3.
A current IT inventory should include information on all hardware and software assets, as well as any cloud
services required for the company's operations.
4.
The DRP must specify how each data resource is backed up, including where it is stored and on what
devices.
5.
Procedures for disaster recovery, which should be unique from backup procedures, should cover all
emergency responses, including last-minute backups, mitigation measures, damage limiting, and
cybersecurity threat elimination.
6.
A hot disaster recovery site should be designated in any comprehensive disaster recovery plan. All data
can be frequently backed up to or copied to a hot disaster recovery site if it is located remotely.
7.
Finally, ensure that a disaster recovery plan includes specific restoration methods for recovering from a loss
of full system functioning by following best practices. In other words, the strategy should include every
detail necessary to get each component of the business back online.
ISO 31000 AND RISK MANAGEMENT
ISO 31000 AND RISK MANAGEMENT
ISO 31000 is an international standard risk management process. It is applicable to
any organization, regardless of size, activity, or sector. It ensures economic resilience,
professional reputation, and environmental and safety outcomes.
ISO 31000 family consists of:
1.
2.
3.
ISO 31000:2018 (Principles and Guidelines on Implementation)
ISO/IEC 31010:2009 (Risk Assessment Techniques)
ISO Guide 73:2009 (Risk Management Vocabulary)
RISK MANAGEMENT PROCESS OUTLINED IN THE ISO 31000
Before the implementation, the organization must
design a framework for managing risk. This
includes:
1.
Risk identification
2.
Risk analysis
3.
Risk evaluation
4.
Risk treatment
5.
Establishing the context
6.
Monitoring and review
7.
Communication and consultation
IMPLEMENTING AND ASSESSING..
The decision to implement an ISO 31000-based risk management framework is frequently a
simple one, as its well documented. Stark Industry can ensure that all minimum practices
required for the implementation of a risk management program are covered by following it.
So 31000 states that the success of risk management will depend on the effectiveness of the
management. So the risk management process should be:
1.
An integral part of management;
2.
Embedded in the culture and practices;
3.
Tailored to the business processes of the organization.
ISO 31000 AND ITS IMPORTANCE
Risk management enables an organization to ensure that it is aware of and
comprehends the risks that it faces. Adopting an effective risk management process
within Stark Industry will have a number of advantages, including:
1. Increased likelihood of achieving goals
2. Proactive management was encouraged.
3. Throughout the organization, there is a greater awareness of the importance of
identifying and treating risk.
4. Mandatory and voluntary reporting has been improved.
5. Increased stakeholder trust and confidence
6. Effective resource allocation and utilization for risk management
CONCLUSION
REFERENCES
1.
How To Perform IT Security Risk Assessment. (2021, August 17). How to Perform IT Security Risk Assessment.
https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/.
2.
Risk Assessment And Management: A Complete Guide | British Safety Council. (2001, September 20). Risk Assessment and Management: A
Complete Guide | British Safety Council. https://www.britsafe.org/training-and-learning/find-the-right-course-for-you/informationalresources/risk-assessment/.
3.
D. (2021, September 15). Successful Password Policies for Organizations - 9 Security Tips. Successful Password Policies for Organizations - 9
Security Tips. https://www.datashieldprotect.com/blog/successful-password-policies-for-organizations.
4.
Physical Security Policy - SecurityStudio. (n.d.). Physical Security Policy - SecurityStudio. https://securitystudio.com/policy-templates/physicalsecurity-policy/.
5.
A Physical Security Policy Can Save Your Company Thousands Of Dollars - Infosec Resources. (2021, August 10). Infosec Resources.
https://resources.infosecinstitute.com/topic/physical-security-policy-can-save-company-thousands-dollars/
6.
Vatner, S. (n.d.). 6 Things You Should Include In Your Backup Policy. 6 things you should include in your backup policy.
https://www.lanrex.com.au/blog/data-backup-best-practice-and-why-we-need.
7.
Information Security Policy - Everything You Should Know | Exabeam. (2019, May 31). Exabeam. https://www.exabeam.com/informationsecurity/information-security-policy/.
8.
What Is a Disaster Recovery Plan? Definition And Related FAQs | Druva. (2021, March 25). Druva. https://www.druva.com/glossary/what-isa-disaster-recovery-plan-definition-and-related-faqs/.
9.
P. (2015, January 9). PECB - ISO 31000 Risk Management – Principles And Guidelines. PECB - ISO 31000 Risk Management – Principles and
Guidelines. https://pecb.com/whitepaper/iso-31000-risk-management--principles-and-guidelines.
Related documents
Chapter 15: Network Integrity Chapter Overview
Chapter 15: Network Integrity Chapter Overview
Project rough draft template
Project rough draft template
DISASTER RECOVERY TOOLKIT REALITY CHECK CHECKLIST
DISASTER RECOVERY TOOLKIT REALITY CHECK CHECKLIST
Download
advertisement