Summary
We began this chapter by revealing how protecting an online platform such as Moodle is very similar to protecting any other asset. Security in both the real and digital worlds works within similar regulatory and operational constraints, as introduced here. As we have seen, the complexity of the security landscape can be hard to manage, so we also looked at simple methods we can apply to understand and measure risk tolerance.
By now, you should have some context about the security landscape Mathaholics will be operating within, in addition to knowing about the most important international regulatory frameworks and best practices. We learned that there are, essentially, four entities placing constraints on the Mathaholics Moodle platform we are building: the government, the client, our cloud hosting provider, and our insurers. As the Mathaholics Moodle Security Advisor, we must ensure we adhere to the frameworks and work within the constraints these agencies prescribe. We discussed simple techniques that can used to identify them and translate these into risks. Finally, we started to capture risks in a risk register.
In the next chapter, we will continue the theme of identifying security risks by introducing the concept of threat modeling. We will also explain how the STRIDE approach can help us capture security threats.