Risk Management and Privacy Awareness PDF

Summary

This document discusses risk management and privacy awareness, focusing on the process of risk assessment and how to estimate the potential cost of security breaches, along with likelihood of these breaches in an organization. It includes definitions for vulnerabilities, threats, and control measures. The document also touches upon privacy impact assessment and privacy awareness.

Full Transcript

IT2028

Risk Management and Privacy Awareness related activities that can be used, disclosed, altered, destroyed,
and/or stolen, resulting in a loss.
Risk Assessment Process Threat: Any circumstance or event with the potential to
The objective of risk assessment is to enable organization adversely impact organizational operations (including mission,
executives to determine an appropriate budget for security and, functions, image, or reputation), organizational assets, or
within that budget, implement security controls to optimize the individuals through an information system via unauthorized
level of protection access, destruction, disclosure, modification of information,
This objective is met by providing an estimate of the potential and/or denial of service.
cost to the organization of security breaches, coupled with an Threat severity: The magnitude of the potential of a threat event
estimation of the likelihood of such breaches. Figure 1 illustrates to impose a cost on an organization. In other words, threat
in general terms the universally accepted method for determining severity is a measure of how much damage a given threat can
the level of risk. do.
Threat strength: Also referred to as threat capability, the
probable level of force that a threat agent can apply against an
asset. As an example, consider an adversary attempting to
obtain root privileges on a server. With root privileges, the
adversary may be able to read, alter, or delete files and may be
able to encrypt files for ransomware.
Threat event frequency: The probable frequency, within a
given time frame, that a threat agent will act against an asset.
Vulnerability: Weakness in an information system, system
security procedures, internal controls, or implementation that
could be exploited or triggered by a threat source.
Security control: A safeguard or countermeasure prescribed
for an information system or an organization designed to protect
the confidentiality, integrity, and availability of its information and
meet a set of defined security requirements.
Impact: The magnitude of harm that can be expected to result
from the consequences of unauthorized disclosure of
information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or
information system availability.
Likelihood: Also called loss event frequency, the probable
Figure 1. Method for Determining Information Security Risk frequency, within a given time frame, that a threat agent will inflict
harm upon an asset.
Asset: An item of value to the achievement of organizational Risk: A measure of the extent to which an entity is threatened
mission/business objectives. An asset may be specifically by a potential circumstance or event.
related to information processing, including any data, device, or
other components of the environment that supports information-

05 Handout 1 *Property of STI
 [email protected] Page 1 of 3
 IT2028

Level of risk: The magnitude of a risk or a combination of risks,
expressed in terms of the combination of consequences and
their likelihood.

Privacy Risk Assessment
Privacy impact assessment (PIA) is an analysis of how
information is handled to ensure that handling conforms to
applicable legal, regulatory, and policy requirements regarding
privacy.
A typical approach to estimating privacy impact is to look at the
two factors that contribute to the impact:
o Prejudicial potential: An estimation of how much
damage would be caused by all the potential
consequences of a threat
o Level of identification: An estimation of how easy it is
to identify data subjects with the available data
processed by the available software

Privacy Awareness
A critical element of an information privacy program is the
privacy awareness, training, and education program. It is the
means for disseminating privacy information to all employees, Figure 2. Cybersecurity Learning Continuum
including IT staff, IT security staff, management, and IT users
and other employees. Awareness: A set of activities that explains and promotes
A workforce that has a high level of privacy awareness and security, establishes accountability, and informs the workforce of
appropriate privacy training for everyone’s role is as important security news. Participation in security awareness programs is
as any other privacy countermeasure or control. required for all employees.
Privacy awareness is the extent to which staff understands the Cybersecurity essentials: Intended to develop secure
importance of information privacy, the level of privacy required practices in the use of IT resources. This level is needed for
for personal information stored and processed by the employees, including contractor employees, who are involved in
organization, and their privacy responsibilities. any way with IT systems. It provides the foundation for
Privacy culture is the extent to which staff demonstrates subsequent specialized or role-based training by providing a
expected privacy behavior in line with their privacy universal baseline of key security terms and concepts.
responsibilities and the level of privacy required for personal Role-based training: Intended to provide the knowledge and
information stored and processed by the organization. skill-specific to an individual’s roles and responsibilities relative
to information systems. Training supports competency
development and helps personnel understand and learn how to
perform their security roles.
Education/certification: Integrates all of the security skills and
competencies of the various functional specialties into a
05 Handout 1 *Property of STI
 [email protected] Page 2 of 3
 IT2028

common body of knowledge and adds a multidisciplinary study
of concepts, issues, and principles.
All employees have some responsibilities related to the
protection of personally identifiable information (PII); all
employees must have suitable awareness training. This training
seeks to focus an individual’s attention on an issue or a set of
issues.
Awareness training is a program that continually pushes the
privacy message to users in a variety of formats. A privacy
awareness program must reach all employees, not just those
with access to IT resources. Such topics as physical security,
protocols for admitting visitors, social media rules, and social
engineering threats are of concern to all employees.

References:

Kumar, G., Saini, DK., Huy Cuong, NH. (2020). Cyber defense mechanisms: Security,
privacy, and challenges. CRC Press.
Stallings, W. (2019). Information privacy engineering and privacy by design:
Understanding privacy threats, technologies, and regulations. Assison-Wesley
Professional. Torra, V. (2018). Data privacy: Foundations, new developments, and the
big data challenge. Springer International Publishing.

05 Handout 1 *Property of STI
 [email protected] Page 3 of 3