1. Home
  2. Training Library
  3. Security
  4. Courses
  5. IT Security Fundamentals

Risk Controls

Developed with
Start course
1h 49m

IT Security Fundamentals 

This is a beginner-level course designed to provide you with an introduction to Information technology security concepts. The course will suit anyone interested in understanding the fundamentals of security concepts from a business and technology perspective.  


In this course we will provide:

  • An introduction to the concept of Information Security
  • We will cover the basic concepts that pertain to Information Security
  • We then begin to answer the question - what is information security and why do we need it?
  • We then explore some of the frameworks, controls and activities we can implement to control information security 


This is a beginner level course where having a basic understanding of computing concepts will be useful 


Please reach out to us at support@cloudacademy.com with any questions, comments or feedback. 



So, here's our control selection. And if you remember from before, when it comes to dealing with risk, we have the four Ts: treat, transfer, tolerate, terminate. Now, risks can never be ignored, that's the one thing we can't do, but we do use the term avoid, which means that we actually terminate the risk, but we can't ignore it.

So, if we find a risk and we know it's there, it has to go on what's known as our risk register, and then we have to monitor it, that is, we are looking at it on a given date and then we're going to review it once again at a later date. If you don't have that and an auditor comes to audit you for any particular reason, you will fail. So you have to have that control in place.

If you've done a risk assessment and that risk has come up as being there, and then you don't put it on your risk register or you don't have a date for monitoring, you will fail, and it'll cost you money because then you'll have to call the auditors back again.

All right, so, risk can be treated by applying controls, and they can be physical, personnel, procedural, technical.

So, in the security office, we would employ people that are actually trained SIA

But we train people to use the server, and we train our receptionists how to spot various things, or send them on social engineering training, we can use awareness training for the whole staff, awareness training so they can spot individuals that are in the organizations, spot phishing emails, all that type of stuff that you have to do nowadays to ensure security.

How much of this treatment do we need? Well, to decide that we use the acronym P.A.C.E: pragmatic, appropriate and cost-effective. So our risk treatment needs to be pace.

They'll always be some sort of uncertainty, that's just the way life is. But we need to make sure that we can trace our security controls to our actual risks. So, for example, we might ask ourselves why we have a particular control in place and then we can go and look in our risk register and see that oh, it's because of risk number 149 on the register.

So, there we go, we've got intrinsic and extrinsic insurance, essentially internal and external. So, here's our intrinsic security assurance. There’s the secure by design life-cycle, change control measures, i.e. putting in usernames and stuff, so that we can actually know who's made changes to what system and when. And then security engagement, which concerns engaging people with security and checking on them.

Then on the extrinsic side, we have vulnerability assessments, so, checking the vulnerabilities, having penetration testing teams come in, putting supply chain controls in place, checking our third parties, auditing them, etc. We need to find a good balance between the two, so that we have a robust security environment.

Here's our threat vulnerabilities. You can see we have attach there, that's the one we've not covered here, the attempt to destroy, expose or to disable, steal or gain unauthorized access, or to make unauthorized use of an asset - that is an attack. So, any one of those is considered an attack.

Ok, so now let's talk about vulnerabilites. vulnerabilities exist in software, they also exist in people but normally we're talking about software, and these vulnerabilities that exist in software we normally go ahead and get them patched. 

A lot of these vulnerabilities exist due to poor design but other causes include poor management of administration, inadequate leadership, poor management of practices overall, and poorly architected systems, which could include, for example, information that isn’t encrypted, networks that are using poor protocols, badly put together networks, etc.


About the Author
King Samuel
Cyber Security Trainer
Learning Paths

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.

Covered Topics