BTEC Level 3 IT - Unit 11 - Cyber Security & Incident Management - Part 03 - RISK ASSESSMENT Theory

[Music]

welcome back welcome back so this is

going to be the theory so this is just

going to be the Powerpoint stuff for

Activity one and in the next video I'm

going to show you my actual word

document I'm gonna have the exam paper

to one side my word document to one side

and go through the process I would

normally go through

so a risk assessment is the process of

identifying what hazards currently

exists or may appear in the workplace

this was a definition I copied from

Google not too far from what we are

going to be doing in this Activity one

from an examiner's report this activity

requires Learners to assess the cyber

security implications of this scenario

and produce a risk assessment a risk

assessment template is provided together

with a simple Matrix for determining

risk severity so they give you almost

everything you need

so what do you actually do what do you

do in the activity you will get a

scenario on the exam paper you will need

to read and make some notes from the

scenario I recommend highlighting on the

physical paper I recommend also in Your

Word documents jotting down notes I've

actually done that on a few occasions

where I have my word document template

open and I simply jot down a few notes

so I can always go back and copy and

paste and change things

uh there will be weaknesses present uh

some will be obvious and others not so

much so you have to this is why I

recommend reading and highlighting

things not everything is going to be

obvious

the scenario will have all the

information you need this scenario will

have information of the company the

hardware and software the company uses a

plan of the building so that's like a

diagram showing what rooms they're going

to have and where things are going to be

laid out and there will also be a

network diagram and how the network and

its devices are arranged so think of a

network diagram as just well a diagram

that shows you how what device is the

company is actually going to be using

and in some cases well in every single

case how they are connected

so Activity one again what to do you

will need to find these weaknesses so

the weaknesses I mentioned earlier after

reading through this scenario you'll

have to highlight pick out as many

weaknesses as you can I suggest making a

list of all the things you find make

this list exhaustive at first so make

the league make the list big then trim

the list down if you need to so every

single thing that you see or read that

could be an issue note it down and what

you would do afterwards is you shorten

the list but don't start off with just

three or four things I would say between

6 and 10 is a good number maybe six and

eight is a good number but again make

your list exhaust exhaustive so as soon

as you see something and you think

actually this could be a potential

weakness write it down you can always

remove it so this is the risk severity

Matrix table here this is given to you

in the Activity one template very simple

to use but I'm going to try and explain

using my pop one here how it works for

every threat or weakness that you have

found you need to do one of these or you

need to make use of this table what I've

done in the past is I've created this

table myself I have it in my document

and I fill it in for every single thing

I find I simply I simply copy and paste

it every time

so the reciprocity Matrix there are two

things we need to do using the Matrix

well it's actually three so that's

actually wrong the probability of the

thing occurring so How likely is it that

this error or this weakness or this

fault or this issue will occur the

potential size of law so let's just say

for argument's sake it does happen what

is the potential size of loss to the

company the person or the system

and then finally how severe the threat

is so the implications if it happens so

if this thing happens how bad is it

going to be for the company uh so things

you need to do again list all the

threats do the below for each thread the

threat probabilities that's a likelihood

of it happening so How likely is it to

happen the possible threat impact how

not how much but how much damage could

it cause

and the risk severity Matrix example so

I've given the example the threat is no

encryption on the admin server that's

the example I'm giving imagine this is

my threat let's give this the worst case

scenario a popular Secondary School

which is going to have maybe a server

it's probably going to have thousands

and thousands of details of past

students current students and maybe

students coming in September so it has

details on students parents teachers

payroll information

it just has everything okay so this is

going to be a really serious one I need

to use the risk severity Matrix to work

out the probability and the possible

size of loss

so the probability of the threat

occurring so again the threat is no

encryption on the admin server the

probability in my opinion my educated

opinion is very likely an educated guest

based on this scenario so this is going

to be your interpretation of what you

think as well right I have worked in a

school before where one of the sites was

actually attacked by hackers and they

were being targeted because obviously

it's a school security isn't typically

the best in school because they don't

typically want to spend a lot of money

on people and on things and services so

it's typically relatively easy to get

into a school versus let's say a

multi-million dollar company even though

schools do have millions of pounds so

I'm gonna say the probability for this

is very likely

very likely to happen because if there's

no encryption on the admin server and

someone gets into the admin server even

if it's a student they can see

everything nothing is encrypted they can

click on something and read all the

information and print it and copy it and

paste it I'm going to say very likely

then the size of the loss the threat

again is No encryption on the admin

server I would say this could be a major

loss so why would it be a major loss

think about it like this

if there is no encryption on the admin

server and someone gets access to the

admin server they have all the

information on every past student every

current student and potentially students

coming in in September they have

information on the cleaners the teachers

the principal payroll information the

schools Bank details they have

information on every single thing so the

size of the loss and the loss doesn't

have to be them legitimately losing all

the data in terms of of um someone

deleting it that is a big thing as well

but it could be a case where someone

just has access to everything so they

technically lost data because someone

else has access to it so size of loss

here could be both things but I would

stick to them actually losing the data

not being able to have the data anymore

and I'm going to say major for this one

and then finally risk severity how

severe is this risk if I'm saying the

probability is very likely and I'm

saying the size of loss is Major uh I

would say extreme and let me go over how

this works again so

I'm gonna say the probability of the

threat is very low let me bring my pen

up one second

the probability of the threat I said

very lightly so I'm going to highlight

that one there you can do this on a

Excel spreadsheet and copy it into word

and highlight as and when you need to

the size of the loss I'm going to say

major because again if someone gets

access to a unsecured server that has

people's details that's going to be a

major major size of loss and from here

so we choose very likely from the

probability and from the bottom row we

can either choose minor moderate or

major and then the same thing for

probability of threat actually it could

either be very likely likely or unlikely

we only have three options for those now

you can add one or two more options if

you really really wanted to but I don't

think it's necessary stick with the

template they give you that's perfectly

fine

and then from there we work out the risk

of severity so if it's very likely and

this major I'm going to say the risk of

severity is going to be high or extreme

and in this case because if they get

access to the information or the data on

the server it's going to be detrimental

to not only the school but to people as

well because you have addresses names

data bursts maybe photocopies of of

birth certificates on passports and Bank

details this people would have

everything they need to go out there and

commit fraud essentially so I would say

again very likely for the probability

that's why I've circled that one there

and I would say size of loss would be

major and the risk severity is going to

be extreme so this is how you use this

table I'm gonna probably do another

example when I get to my word document

section I'm going to have a list of

issues or weaknesses and I'm going to go

through this a few times with you guys

just so everyone fully fully understands

it

clarissivarity Matrix I'm going to say

copy and paste the table as many times

as you need it you don't need to copy

and paste it you could simply create

your own table do whatever you think is

best but I would copy and paste the

table and for every single weakness I

find I fill in the information on the

way I would do that I would simply maybe

highlight this green so if I'm saying my

threat is no encryption on the admin

server I would highlight this one here

green I would highlight size of loss as

major and I would highlight the risk

severity as extreme so it's very obvious

to me to The Examiner that's reading

what does this person think about that

particular threat you could even go as

far as to create a quick table again

that says that gives you the threat and

then under the threat you could have

probability of thread size of loss and

risk severity and you can simply put

that put that and you can simply put

that information in I will go over this

when I get to my word document copy and

paste the table as many times as you

need it do the same aim for the

assessment itself so that's the next

section which I am going to show as well

or create a shortened version of what

the table shows I will show that as well

so the risk severity Matrix the threat

again is No encryption on the admin

server this is how I would do mine

personally so you could do the table way

or you could just have this in text on a

Word document this is only going to be

what three or four lines in a Word

document so you could say threat and you

state what the threat is the probability

I've said for mine is that it's going to

be very likely the size of loss I've

said is going to be major and the risk

severity I've said is going to be

extreme you choose whatever you want but

this is how I would do it so all of this

I would copy this first line in a Word

document the second line on the second

line of the word document this it would

be the third line that would be the

fourth line that's it keep it very very

simple and do this for each one so the

next thread might be there is no

password on the Wi-Fi right that's the

next threat the problem ability of the

threat occurring would be in my opinion

very likely size of loss probably I

don't know medium what whatever the

table said and the risk severity for

this may might be something like medium

or high again so I would simply have

this information as many times as I have

threats or weaknesses so if I have 10

weaknesses I'm going to have all of this

information here roughly 10 times

so show example word document all right

I'll be using the 2018 past paper this

is the only one on the website on the

Pearson's website that's not locked to

the public so that's why I've opted for

that one I'm also going to put links in

the description for you guys to be able

to download it from my personal Google

drive if you don't know how to find it

on the website if you'd prefer to just

Google it yourself that's fine you could

just Google search btec level 3 it and

it will come up with the Pearson's

website the b-tech website with all the

files everything that I'm using here is

completely free as I said this is the

only one that's not locked so this is

the risk assessment this Carries On from

the previous section you will need all

those risks and the severities which you

found in the previous section I will go

through this not to worry you fill in

the table for every threat you've

identified so again let's just say for

argument's sake we found five threats

I'm gonna have this table here copied

five times and where it says threat

number I would obviously put something

like let's say 0 1 a threat title in

here I would put something uh what was

the previous one again the previous one

was no encryption on the admin server

that would be for that one I'll put the

probability uh potential size of impact

with severity explanation of the threat

in context so why do I think the

probability is going to be so high why

do I think the potential size of loss is

going to be so high why do I think the

risk severity is what it is so give some

context give some explanation justify

why you're saying what you're saying in

the last box here and again if you have

10 or sorry I said 5 before if you have

five different threats or weaknesses you

have five of these boxes I'm gonna show

you even how to copy and paste them when

I get to my word document so bear with

me

and that's it for this one so the next

part of the well the next video is going

to be Activity one me in my word

document with the exam paper on the left

me making some notes me doing the risk

uh the risk assessment and we'll take it

from there thank you for watching

hopefully this was useful

[Music]