Understanding risk
How much risk are you willing to take on behalf of your business? Let’s start by trying to understand the Mathaholics project’s risk profile. There are three components to any risk profile (you may be familiar with the following if you work in the financial sector):
- Risk capacity: How much risk are we prepared to take on at the outset?
- Risk tolerance: How much risk are we prepared to take on over the long term?
- Risk requirements: Are there any risks we are required (for example, legally) to mitigate?
It is beyond the scope of this book to delve too deeply into each of these three aspects. Instead, we concentrate on the third aspect: risk requirements.
Recall from the introduction that protecting a Moodle installation is similar to protecting valuable jewelry. In the UK, just as there is no legal standard for door locks, there is no legal standard for protecting online applications. However, there are industry standards for door locks you are expected to adhere to – some managed by governmental/quasi-public sector bodies (for example, The British Standards Institute (BSI), which has a memorandum of understanding with the UK government) and some by the industry itself (for example, Association of British Insurers).
The same is true for application security standards. In the UK, there are standards outlined by the National Cyber Security Centre (a public sector body) as well as frameworks formulated by the Open Web Application Security Project (a not-for-profit). The security standards you will need to adhere to will depend on the type of data you need to protect. Generally speaking, application security problems can be categorized under the following headings:
- Networking
- Operating system
- Application
- Human
Tip
Before you begin, write these four headings on four sticky notes, and make some space on your office wall for these notes. As you read through this chapter, think about the risks your organization might face and add more sticky notes under each heading. Don’t forget to ask colleagues to add ideas too.