Risk Management and Risk Control PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document discusses risk management and risk control, focusing on project risk management, risk analysis, business continuity management, and disaster recovery planning. It includes a section on assessing maximum tolerable downtime (MTD) and the process for BCP/DRP as a key part of risk mitigation. The document also covers backup and recovery strategies.
Full Transcript
**Risk Management and Risk Control** Project risk management and risk analysis is where you keep track of how the risk responses are being conducted against the schedule, as well as where new project risks are being handled. Function of risk management: Make sure that you provide a response plan...
**Risk Management and Risk Control** Project risk management and risk analysis is where you keep track of how the risk responses are being conducted against the schedule, as well as where new project risks are being handled. Function of risk management: Make sure that you provide a response plan for each identified risk. It\'s not very helpful if the risk becomes a reality or an issue and you don\'t have an alternate execution path or any other emergency procurement plan. ------------------------------------------------------- -- -- -- -- Main inputs to effectively monitor and control risks: ------------------------------------------------------- -- -- -- -- **Business Continuity Management (BCM)** - **Business Continuity Plan (BCP)** - - - - - **Assessing Maximum Tolerable Downtime (MTD)** exceeding the MTD results with serious harm to the profitability of the enterprise. Depending on the process MTD can be in hours, days, or more. Just an example of a BCP / DRP. **Stage 1: Business as usual** All systems are running production at this stage and are functioning correctly. **Stage 2: Disaster** ![](media/image2.jpeg) Disaster happens at a certain point in time, and the systems need to be repaired. The **Recovery Point Objective (RPO)** specifies the average amount of data loss accumulated over time. The maximum tolerable loss in data, for example, is 15 minutes. **Stage 3: Recovery** The system is back online at this point, and the system is being recovered but not yet ready for production. The RTO determines the overall manageable time required to get all critical services back online. For example, this covers restoring data from backup or fixing a failure. Mostly this function is handled by administrator of server, network and storage etc. **Stage 4: Resume Production** ![](media/image4.jpeg) At this point, all systems have been restored, the security of the network, the data checked and all essential infrastructure can restart regular operation. Work Recovery Period (WRT) specifies the overall tolerable time necessary to confirm the program or data integrity. For example, it might be important to check databases and logs, to ensure that programs or services are managed and available. The sum of RTO and WRT is known as the MTD, which determines the minimum time duration that can disrupt the operational process without harmful effects. 44 **Review and Test the Plan** - **BCP Testing** Four steps to better business continuity plan testing: - - - - - - - - **Test for DRP** How do you test a strategy to recover from a disaster? 1. 2. 3. 4. **Backing up Data - Why is it important?** Backing up data allows you to retrieve the data you\'ve lost. It's like hitting the rewind button and making your computer go back to the previous state before a tragic accident took place. **Data Backup -- What to Back Up?** So how do we classify the files needed and where do we find them? As a rule of thumb, files you make are the sort of files you are expected to backup. System files, directories for the Operating System, installed programs, and temporary files are files not needed for backup. **Backup Frequency** How often you make changes to your files can rely on that. When you update your documents and save them regularly, you can make a backup at least once a day. For some cases, some files (such as data logs) may be updated several times a day, in which case a backup process designed for real time backups is more suitable. 45 **Where to back up your data?** Media option will rely on multiple factors including backup size, setup complexity, portability and security requirements, budget, on-site or off-site backup. Some Example: - - - - - 46 **Different Backup and Recovery Types** The various forms of backups accessible to IT personnel include: - - - **Phases of the response to the incident** 1. 2. 3. 4. 5. 6. **Trigger the disaster response program** Activation includes the entirety of all relevant methods and procedures to insure that the DRP can be activated: - - - - - 47 **Guidelines for Activation Based on Case Analysis** As the activation procedures are prepared, the activities of the event analysis must be adequately specified by the following questions: 1. 2. 3. 4. 5. 6. 7. **Primary Step to Disaster Recovery** Steps to disaster recovery: 1. 2. 3. **Restore Damaged Systems** You must plan for rebuilding damage system. - - - - - **Recovery Alternatives** Three choice usually are considered if a business (or some part of it) has to be moved for recovery: - - Commercially leased installations, such as hot sites or mobile facilities; Arrangement with an internal or external facility; ![](media/image6.jpeg) 48 1. 2. 3. **Law and ethics in information security** Ultimately, people prefer to swap those facets of personal liberty for humanity. - - **Types of Law** 1. 2. - - 51 **Cybersecurity in our country** The Cybercrime Prevention Act 2012 (CPA) considered the following as cybercrimes: - - - The Rule of the **Supreme Court on Cybercrime Warrants (AM No. 17-11-03-SC)** regulates the submission and issuance of court orders and related orders relating to the retention, disclosure, surveillance, search, retrieval or review, as well as the custody and destruction of computer data as provided for in the CPA. The **Electronic Commerce Act 2000 (ECA)** allows for the legal recognition of electronic records, commercial communications and signatures, government transactions and testimony in court proceedings. ECA penalizes the hacking and copying of protected content, electronic signatures or copyrighted works, restricts the liability of service providers who merely provide access, and bans individuals who do so. The **Access Devices Regulation Act of 1998 (ADRA)** penalizes various acts of fraud involving access devices, such as the use of counterfeit access devices. Access device shall be any card, plate, code, account number, electronic serial number, personal identification number or other telecommunications service, device or instrument identifier or other means of access to an account that may be used to obtain money, goods or services **The 2012 Data Privacy Act (DPA)** governs the storage and distribution of personal details, particularly confidential personal information in government, in the Philippines and the Philippines; creates the National Privacy Commission (NPC) as a regulatory authority; mandates that personal information controllers take fair and effective steps to secure and alert personal information ![](media/image8.png) Effective July 1, 2018, the Philippines acceded to the Cybercrime Convention 52 **Privacy** In 21st century, **privacy** became most of the toughest questions in information security. Many organizations gather, swap, and sell personal information as a trade good, and a lot of people look to governments for privacy protection. **Privacy of Customer Information** With the passage of the **2011 Data Privacy Act**, Philippines introduced a robust data security and privacy rights policy for organizations that operate within the country. Organizations are required to meet all data privacy requirements and ensure data security to the highest standards, for which they will be liable to serious fines and legal action. With the banking and business process outsourcing (BPO) industry booming in the Philippines, these data privacy laws will be vital to the development of a secure environment for these industries in the region. Legal access to information, confidentiality and data protection are some of the strong reasons that will help to fuel service sector growth and e-governance in the Philippines. **Identity Theft** Upgrade involves modifying or changing an current code data or program, in shape or material, for the purposes of the statute. \"The usual identification information about a person includes his name, citizenship, address of residence, contact number, place and date of birth, if any, his spouse\'s name, occupation, and the like. The law punishes those who without right obtain or use such identifying information, indirectly to cause harm. The theft of identity information must obviously be intended for an unlawful purpose. Furthermore, the acquisition and dissemination of information made public by the user himself cannot be considered a form of theft." **Intellectual Property** **Intellectual property ( IP)** is a type of properties encompassing the intangible works of the human intellect. There are several forms of intellectual property and certain nations are more accepted than others. The most popular categories contain copyrights, licenses, logos, and trade secrets. **Philippine Copyright Law** The **copyright law in Philippine** or officially recognized as the **Republic Act No. 8293** is based on United States copyright law. Furthermore, Philippine copyright law protects trademarks , patents and even different forms of intellectual property. You may also have learned of the Optical Media Act, which seeks to shield local artists from piracy. Computer programs and video games are protected under the same Act. **Ethics and Information Security** *[**(https://mafiadoc.com/legal-ethical-and-professional-issues-in-information-security\_599eb5da1723dd0f406ee946.html**/](https://mafiadoc.com/legal-ethical-and-professional-issues-in-information-security_599eb5da1723dd0f406ee946.html)* [***https://renzjiodionisio.blogspot.com/2010/08/ethics-technology.html)***](https://renzjiodionisio.blogspot.com/2010/08/ethics-technology.html) **"The Ten Commandments of Computer Ethics"^13^** 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. **"Codes of Ethics and Professional Organizations** This is the duty of the support personnel to behave ethically and in compliance with their employers\' policies and practices, their professional associations and the laws of society." It\'s also the duty of the company to create, disseminate and implement its policies. ***(https://mafiadoc.com/legal-ethical-and-professional-issues-in-information-security\_599eb5da1723dd0f406ee946.html)*** 55 REFERENCES [https://www.facebook.com/notes/jayson-francisco/anti-cybercrime-bill-now-a-law-new-law-punishes-hacking-online-libel-](https://www.facebook.com/notes/jayson-francisco/anti-cybercrime-bill-now-a-law-new-law-punishes-hacking-online-libel-internet-ch/455990667757790) [internet-ch/455990667757790](https://www.facebook.com/notes/jayson-francisco/anti-cybercrime-bill-now-a-law-new-law-punishes-hacking-online-libel-internet-ch/455990667757790) [https://rhczgd6m8l1kkaip12ax254u-wpengine.netdna-ssl.com/wp-content/uploads/James-Hines-Data-Protection-Policy-Rev-](https://rhczgd6m8l1kkaip12ax254u-wpengine.netdna-ssl.com/wp-content/uploads/James-Hines-Data-Protection-Policy-Rev-1.1.pdf) [1.1.pdf](https://rhczgd6m8l1kkaip12ax254u-wpengine.netdna-ssl.com/wp-content/uploads/James-Hines-Data-Protection-Policy-Rev-1.1.pdf) [http://www.unesco.org/new/en/member-states/single-](http://www.unesco.org/new/en/member-states/single-view/news/unesco_trains_journalists_from_community_radio_stations_on_u/) [view/news/unesco\_trains\_journalists\_from\_community\_radio\_stations\_on\_u/](http://www.unesco.org/new/en/member-states/single-view/news/unesco_trains_journalists_from_community_radio_stations_on_u/) 56 ![](media/image10.png) Directions: Answer the following. 1. 2. 3. 4. 5. 57 1. 2. 3. **5.1 ACCESS CONTROL** **What is Access Control?** **Access control** is the process through which systems decide when and how a person can be allowed into an organization\'s protected area. Access control is accomplished by a blend of laws, services, and technologies. Access controls can be compulsory, nondiscretionary, or optional. ![](media/image12.png) **Four Parts / Mechanism of Access Control** 58 ![](media/image14.jpeg) In authentication, the following mechanisms are involved; The Four Unified Access control Components includes **Users, Resources, Actions and Relationships.** **Logical Access Controls** Logical access controls are methods and procedures used in computer information systems to define, authenticate, approve and assume responsibility. Logical access is often necessary for remote hardware access, and is often compared with the term \"physical access\". Logical access controls implement mechanisms for access control of systems, services, procedures, and information. The controls may be built into operating systems, software, add-on security products, or management systems for database and telecommunication. Solutions for Logical Access Control may include **Biometrics, Tokens, Passwords, and Single Sign-on.** **Biometric Access Controls** Biometric Access Control is focused over the use of some observable human characteristic or attribute to verify the identity of a potential user (a supplicant) of the systems. ***Fingerprint comparison, Palm print comparison, Hand geometry, Facial recognition, Retinal print comparison*** are useful biometric authentication tools. 59 **Minutiae** are unique point of reference in one's biometric that is stored as image to be verified upon a requested access. Each single attempt at access results in a calculation that is compared to the encoded value to decide if the consumer is who he or she claims to be. A concern with this approach is that is changes as our body develops over time. For authentication during a transaction, retail stores uses signature capture. The customer shall sign a digital tab with a special pen recording the signature. The signature will stored for future reference, or compared for validation to a signature on a database. Voice recognition operates in a similar manner by recording the user \'s initial voiceprint reciting a word. Later, the authentication mechanism allows the user to utter the same phrase when the user tries to access the device so that the algorithm can match the actual voiceprint to the stored value. **Effectiveness of Biometrics** Biometrics are assessed using parameters such as; the false rejection rate, which is the rate of supplicants who are in fact approved users but who are denied access; False acceptance rate, which is the percentage of users who are unauthorized users but are allowed access; and third, the crossover error rate, which is the amount at which the number of false dismissals is equal to the false acceptances. **Authenticating with Kerberos and SESAME** Kerberos was named after the Greek mythology which uses symmetric key encryption to authorize an individual user with specific network resources. Kerberos maintains a data repository that contains system's private keys. Network services operate on servers in the Kerberos network registry, as do the clients using those services. Such private keys are referred to the Kerberos program and can check a host to another. 60 ![](media/image16.jpeg) Kerberos is based on the logic of the following principles; 1. 2. Visit [[http://web.mit.edu/Kerberos/,]](http://web.mit.edu/Kerberos/) to obtain Kerberos service. Secure European System for Multivendor Environment (SESAME) is similar to Kerberos in that the user is first authenticated to a server and receives a token**.**The privilege attribute server (instead of a ticket awarding service as in Kerberos) as proof of identity to obtain a certificate of privilege attribute (PAC).The PAC is like the ticket in Kerberos; however, a PAC conforms to the standards of the European Computer Manufacturers Association (ECMA) and the International Organization for Standardization/International Telecommunications Union (ISO/ITU-T). The remaining variations lie in the safety protocols and methods of distribution. SESAME uses encryption on key to distribute confidential keys.SESAME also builds on the Kerberos model by introducing additional and more advanced access control features, more robust encryption schemes, enhanced manageability, audit features, and the option to delegate access authorization responsibilities. 61 Directions: Answer the following. 1. 2. 3. 4. 5. **REFERENCES** *Varghese, Thomas. \"Addressing Red Flags Compliance\". SC Magazine, Jan. 28, 2009.* *Andress, Jason. (2011). ″The Basics of Information Security.″ Cory Janssen,* [[Logical Access*,* ]](http://www.techopedia.com/definition/23926/logical-access)*Techopedia, August 12, 2014* *Find BIOMETRICS,* [[Logical Access Control Biometrics*,* ]](http://findbiometrics.com/applications/logical-access-control/#LOGICAL)*August 12, 2014* *"Principles of Information Security" Michael E. Whitman, Ph.D., CISM, CISSP, Herbert J. Mattord, CISM, CISSP* *2012 Course Technology, Cengage Learning* 62 ![](media/image17.jpeg) 1. 2. 3. **Security Audit** A *security audit* is a comprehensive assessment of a business\'s information system security by evaluating how well it follows a set of defined requirements. A comprehensive audit usually reviews the protection of the physical configuration and environment, applications, processes of information processing, and user practices in the system. Security assessments are also used to assess regulatory enforcement despite legislation outlining how information needs to be treated by organizations. **Security audits** assess efficiency of an information system against a set of criteria. On the other hand, a **vulnerability evaluation** requires a systematic analysis of a whole information system, searching for possible security vulnerabilities. **Penetration testing** is a secret activity in which a security specialist attempts a variety of attacks to determine whether or not a device will survive a malicious hacker\'s same types of attacks. Each of the approaches has inherent strengths, and using two or more of them in conjunction may be the most effective approach of all. Security Auditing and Analysistries to address the following questions; 1. 2. 3. The following figure best explains the Security Controls Address Risk which is referred to as Security Cycle. 63 **Security Monitoring for Computer Systems** Security Monitoring for Computer Systems may be identified based to the information it captures namely; 1. 2. 3. ![](media/image9.jpeg) **REFERENCES** *"Principles of Information Security" Michael E. Whitman, Ph.D., CISM, CISSP, Herbert J. Mattord, CISM, CISSP* *2012 Course Technology, Cengage Learning* 64 65 **Lesson 5.3 Basic Concepts of Cryptography** ![](media/image20.jpeg) **CRYPTOPOLOGY** **Cryptology** is characterized as the method of having communications inaccessible to all individuals excluding those who have the ability to read and interpret it. There are two portions that is being studied in Cryptology. First the **CRYPTOPGRAPHY** that involves the confidentiality program and its structure itself, and second **CRYPTANALYSIS** which is associated with breaking the above-mentioned system of anonymity. **Code** - A compilation of knowledge enabling terms to be transferred to symbols or other phrases. Banana can be a code for gun. However, This isn\'t some kind of cryptography that can be evaluated. The only means a message can be decrypted is by having the terms set and their codes. **Plaintext** is the meaning you wish to convey in a coded form. Plain text is generally written without spaces in any lower case letter. There are figures printed out, and the punctuation is overlooked**.** It is also referred to as **clear**. For example, the sentence; **"The bomb is planted on the roof"** is written as **thebombisplantedontheroof** **Cipher** relates to the plaintext-alteration process. The secret version of plaintext is called **ciphertext**. 66 Example; For a decoder to read it easily, the code is typically written every after 5 characters. The example above can be presented as; When we **encipher**, we alter the plaintext to ciphertext while when we **decipher**, we do it the other way around. **Key** refers to data that enables us to encode the plaintext and decode the ciphertext as well. ![](media/image22.png) In this case, both upper and lower case uses the same numerical value. 67 ![](media/image24.jpeg) ![](media/image26.jpeg) ![](media/image28.png) 1. 2. 3. 4. All information systems (IS) create risks to an organization; whether or not the level of risk introduced is acceptable or not acceptable in formulating a business decision, controls such as "firewalls, resource isolation, hardened system configurations, authentication and access control systems and encryption can be used to help mitigate identified risks to acceptable levels." [([https://www.slideshare.net/lavanyamarichamy/network-design-consideration])](https://www.slideshare.net/lavanyamarichamy/network-design-consideration) In this lesson, we will be discussing about firewalls and authentication procedure that we can implement to have a secured network. Security, as described by Lavanya (2019),"is often an overlooked aspect of network design, and attempts at retrofitting security on top of an existing network can be expensive and difficult to implement properly. Separating assets of differing trust and security requirements should be an integral goal during the design phase of any new project." She further stresses that "...aggregating assets that have similar security requirements in dedicated zones allows an organization to use small numbers of network security devices, such as firewalls and intrusion-detection systems, to secure and monitor multiple application systems." [([https://www.slideshare.net/lavanyamarichamy/network-design-consideration])](https://www.slideshare.net/lavanyamarichamy/network-design-consideration) Other influences on network design include budgets, availability requirements, the network's size and scope, future growth expectations, capacity requirements, and management's risk tolerance. For example, dedicated WAN links to remote offices can be more reliable than virtual private networks (VPNs), but they cost more, especially when covering large distances. Fully redundant networks can easily recover from failures, but having duplicate hardware increases costs, and the more routing paths available, the harder it is to secure and segregate traffic flows. A significant but often missed or under-considered factor in determining an appropriate security design strategy is to identify how the network will be used and what is expected from the business it supports. This design diligence can help avoid expensive and difficult retrofits after the network is implemented. **FIREWALLS** **What is a Firewall?** A firewall is defined by Khandal, et al (2018) as "...a program or network devices that filters the information coming through the internet connection into your private network or computer system." Firewall is further explained in [[www.auysolutions.com]](http://www.auysolutions.com/) as "is [a network security s]ystem that [[monitorsand]](https://en.wikipedia.org/wiki/Network_monitoring) controls incoming and outgoing [network traffic b]ased on predetermined security rules. A [ ] firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the [Internet."] Theseare often categorized as either "**network-based firewalls** or **host-based firewalls"** [ ] [[(https://www.auysolutions.com/product/security-essentials/])](file:///C:/Users/USER/Desktop/2020-2021%201ST-SEMESTER/IAS/MODULE/COLLATED%20v3/(https:/www.auysolutions.com/product/security-essentials/) Host-based firewalls, on the other hand, run on host computers and control network traffic coming in and out of those machines. **Network-Based Firewall** ![](media/image30.jpeg) **Host-Based Firewall** **Difference between Network-based and Host-based Firewall** as follows: **Advantages of Firewalls** The advantages of firewalls as discussed by Khandal (2018) are as follows: **Concentration of security**, "...all modified software and logging is located on the firewall system as opposed to being distributed to multiple hosts." **Protocol filtering**, "...where the firewalls filters protocols and services that are either not necessary or that cannot be adequately secured from exploitation." **Information hiding, "...**in which a firewall can "hide" names of internal systems (or) electronic mail addresses, thereby revealing less information to outside hosts." **Application gateways, "...**where the firewalls require inside or outside users to connect first to the firewall before connecting further, thereby are filtering the protocol." 75 **Disadvantages of Firewalls** The most obvious being that certain types of network access maybe hampered or even blocked for some hosts, including telnet, FTP, NFS, etc. A second disadvantages with a firewall system is that it concentrates security in one spot as opposed to distributing it among systems, thus a compromised of the firewall could be disastrous to other less protected systems on the subnet. **The Role of Firewalls** A firewall is a term used for a "barrier" between a network of machines and users that operate under a common securitypolicy and generally trust each other and the outside world." (Khandal, 2018) There are two basic reasons for using a firewall at present. These according to Dinesh (2017) are as follows: "(1) to save money in concentrating your security on a small number of components, and (2) to simplify the architecture of a system by restricting access only to machines that trust each other." **Three (3) Design Goals of Firewalls** The first design goal for a firewall is that collectively the sum of the entire network "...from internal to external must go through the firewall physically cutting off all access to the local network except via firewall." (Khandal et al, 2018) The second goal would be "only authorized traffic which is delineated by the local security policy will be allowed to proceed." (Khandal et al, 2018) Finally, the last design goal is that the firewall "...itself is resistant to penetration inclusive in a solid trustworthy system with0 a protected operating system." (Khandal et al, 2018) **AUTHENTICATION** Authentication is the "process of reliably verifying the identity of someone (or something)." [ ] [[(http://www.dis.uniroma1.it/\~damore/sicu/slide/slide2012/8.Authentication-1v1.1.pdf])](file:///C:/Users/USER/Desktop/2020-2021%201ST-SEMESTER/IAS/MODULE/COLLATED%20v3/(http:/www.dis.uniroma1.it/~damore/sicu/slide/slide2012/8.Authentication-1v1.1.pdf) 1. 2. 3. 4. 5. **CREATING A GOOD QUALITY PASSWORD POLICY** The security provided by a password system depends on the ability of the users to keep their password or pass code unique and secured at all time Thus, according to Gupta (2018), "...a password is vulnerable to compromise whenever it is used, stored, or even known." - - - - - - **AUTHENTICATION IDENTIFICATION** - - - **VERIFICATION** Validation of information supplied against a table of possible values based on users claimed identity, verify identity based on your physical characteristics, known as biometrics. Characteristics used include: - - - How authentication is done depends on capabilities of entity being authenticated. Two most important capabilities: - - **TYPES OF AUTHENTICATION** 1. **Password-based authentication** - - - 2. **Address-based authentication** - 3. **Cryptography-based authentication** "Authenticating oneself by showing evidence of a secret key to the remote peer (and to the network) but without exposing the secret to the peer (or to the network).Secret key can be obtained from a password." (Shankar (2013) **PROBLEMS WITH PASSWORDS** 1. **Eavesdropping** - - - - - - 2. **Trojan Horses** A Trojan horse is a useful, or apparently useful, program, which also performs unwanted/ harmful functions. 78 - - 2. **On-Line Guessing** - - - - - - 3. **Locking Accounts** - - - - 4. **Offline Password Guessing** - - - 1. 2. 79 **REFERENCES:** Authentication (2012). Retrieved from Dinesh, N. (2017). Seminar on firewall. Retrieved from [[https://www.slideshare.net/NAGADINESH3/firewall-80659551]](https://www.slideshare.net/NAGADINESH3/firewall-80659551) on July 16, 2020. Gupta, Amita (2018). Knowledge base password aging and expiration. Retrieved from [[https://www.orcanos.com/help/Knowledgebase/password-aging-password-expiration/]](https://www.orcanos.com/help/Knowledgebase/password-aging-password-expiration/) on July 17, [ ] 2020. Khandal, et al (2018). Firewall concepts in the area of networking. Retrieved from [[http://www.ijetjournal.org/Special-Issues/ICEMESM18/ICEMESM18.pdf]](http://www.ijetjournal.org/Special-Issues/ICEMESM18/ICEMESM18.pdf) on July 15, 2020. Lavanya, M. (2019). Network design considerations. Retrieved from [[https://www.slideshare.net/](https://www.slideshare.net/%20lavanyamarichamy/network-design-consideration)] [[lavanyamarichamy/network-design-consideration]](https://www.slideshare.net/%20lavanyamarichamy/network-design-consideration) on July 16, 2020. Security essentials. Retrieved from [[https://www.auysolutions.com/product/security-essentials/]](https://www.auysolutions.com/product/security-essentials/) on July 16, 2020. Shankar, U. (2013). Computer and network security. Retrieved from [[http://www.cs.umd.edu/\~shankar/414-Notes/414-authentication-slides-4pp.pdf]](http://www.cs.umd.edu/~shankar/414-Notes/414-authentication-slides-4pp.pdf) on July 16, 2020. 81 82 ![](media/image32.png) Do a research on securing our Future through IAS. Document the result of your research and prepare a write-up discussing the important or significant contribution/s of IAS in our daily lives be it in economical, physical, spiritual or any other aspects you can identify. **Introduction** As we all know, that there are wide variety of career one can choose into in the field of Computing Science and Information Security. Pursuing education in these areas of knowledge is really a prize. Aside from the high rate of employability, high salary rate can also be a motivation in pursuing well. In the field of Information Security alone, there are number of opportunities one can take in the future. Aside from the certifications we have tackled in Lesson 2.2, there are also some programs that is available to add knowledge in this area. Getting a Professional Certificate trough, a certifying body is really an edge or an advantage. However, it is one's call whatever means he/she will use to learn and gain more knowledge. One option for an aspirant to be trained in the field of Information Security is through **Self-Study Programs.** This program aims to educate an individual at the comfort of his/her time. This is also referred to as Self-Paced learning, where one will not be required to attend mandatory trainings. The advantages of this self-study program are as follows; 1. 2. 3. 4. 5. However, procrastination, resource selection, lack of interaction, quality, and validated outcomes may be a factor to be considered in self-study programs. These are its disadvantages. In self-study programs, choosing a material to study is really a struggle. In selecting what instructional materials to utilize, one must check that is should come from **reputable sources**, meaning the resources shall come from a reliable or well-respected organization or author. You can check the **material review** so that you may have an insight to its content. Self-study materials shall also be supplemented by **other products** to support your learning. Finally, **hand-son skill sets** or laboratory activities shall also be enforced from the materials to evaluate the learning process. Another option to acquire knowledge in the area of Information Security is through **Instructor-Led programs.** This may be an alternative to the self-paced learning. This type of program is also known as the Formal Training that is being catered inside an educational group or a school. Completing the prescribed hours or requirement for the training leads to a certificate that will prove one's competence. Instructor-led programs starts from general to highly technical. A professional can also acquire additional knowledge to IS through the **Continuing Professional Education (CPE)** and/or **Continuing Professional Development (CPD).** The main goal of these programs is to keep the practitioners updated to the current state of technology in the field. Postsecondary Degree programs are also offered in the colleges and universities specializing in Information Technology, Information Systems Security, Information Assurance and other field of Computing Sciences. One may continue his/her journey up to Ph.D. A degree may be taken by an individual trough as two-year program. That is what we call **Associate Degree**, wherein it prepares one for a wide variety of entry-level positions in the IT and IS fields. On the other hand, a four-year degree program or the **Bachelor's Degree** is needed to have a higher entry positions in the areas such as IT and IS. Some of them includes: 1. 2. 3. 4. Some of the institutions offers a laddered course where an Associate Degree can be continued to the Bachelor's. It is very important for us to study the curriculum offered by an institution first and visualize what field you will pursue in the future. **Master of Science Degree** is a two-year study program after completing the Bachelor's Degree. This is basically intended to specialize in one field of study. It focuses more on depth of knowledge in a specific field. This might include; 1. 2. 3. a. b. 84 **Doctoral Degree** is the highest educational attainment one can obtain. It requires more comprehensive and extensive studies. It may vary from three to five years. Fields may include; 1. 2. 3. 4. Aside from these formal schooling, there are also some programs that intends to certify an individual. They focuses more on the technicality and skills needed to be developed by an individual through hands-on or experiential learning. The following are the **Security Training Organizations** that enables one to get certified; 1. 2. 3. 4. 5. 6. Many are the ways one can acquire knowledge. It can be through informal or formal training. The intention of these falls into one purpose and that is to gain knowledge and skill that can be used as arms in this world whose demand is increasing rapidly. It may be difficult to achieve, or one might say that he/she made a wrong decision but one thing is for sure, when you learn to love what you do, you will succeed. You are half-way to the highest paying job. So do it right. You are on the right track. 85