INFORMATION ASSURANCE (IA)INFORMATION SECURITY(INFOSEC)Focuses on managing risks andensuring all aspects ofinformation processes are reliableand secure.Focuses specifically onpreventing unauthorizedaccess, protecting data, andmitigating cyber threats.IA ensures the correct functioningof all processes related toinformation, from creation todestruction, including policyenforcement, risk management,and compliance with laws.InfoSec is about preventing,detecting, and responding tosecurity threats to ensure datais protected from breaches orunauthorized modifications.It includes risk management,recovery processes, auditing, andthe implementation of securitypolicies to support decisionmaking and business continuity.InfoSec covers measures likefirewalls, intrusion detectionsystems, access controls, andencryption.Ensure availability, integrity,authentication, confidentiality,and non-repudiation.Ensure Confidentiality,Integrity, and Availability.5.1 RISK IDENTIFICATION, RISK ANALYSIS,AND RISK MANAGEMENTINFORMATION ASSURANCE VS INFORMATIONSECURITY (CONT.)197
5.1 RISK IDENTIFICATION, RISK ANALYSIS,AND RISK MANAGEMENTIMPORTANCE OFINFORMATION ASSURANCEProtects against cyberattacks, data breaches, and fraud.Ensuresreliable data for decision-making.Buildstrust with customers, employees, and stakeholders.Compliance with laws and regulations.INFORMATION ASSURANCE VS INFORMATIONSECURITY (CONT.)198
5.1 RISK IDENTIFICATION, RISK ANALYSIS,AND RISK MANAGEMENTIDENTIFY RISK IDENTIFICATIONDefinition: Identifying and listing all the valuable resources (assets)that need protection. Asset Identification is the process ofidentifying and classifying critical assets within an organization.Primary purpose: Asset identification and classification is to protectthe business from possible threats such as loss, theft, complianceissues as well as asset underperformance and related consequences.Enquiries: What are we protecting? (e.g., computers, data,employees).Examples of Assets: Hardware, Software, Data, Employees.ASSETS IDENTIFICATION199
5.1 RISK IDENTIFICATION, RISK ANALYSIS,AND RISK MANAGEMENTIDENTIFY RISK IDENTIFICATION (CONT.)Definition: Identifying potential risks that could affect the identifiedassets.Primary purpose: Risk identification is the process of determiningpotential risks to your business. This can include anything from anatural disaster that could damage your property to a disgruntledemployee who could sabotage yoursystems..Enquiries: What are we protecting? (e.g., computers, data,employees).Types of risks: Cyber attacks, Natural Disasters, System Failures,and Human Errors.RISK IDENTIFICATION200
5.1 RISK IDENTIFICATION, RISK ANALYSIS,AND RISK MANAGEMENTDefinition: Identifying potential sources of harm or danger to yourassets. Threat identification is the process of determining potentialrisks to a system by using checklists, traceability links, and variousstrategies such as injury, entry point, threat, and vulnerabilityarguments.Primary purpose: Threat identification is also the process by whichpersons who might present an insider threat risk due to theirobservable, concerning behaviors come to the attention of anorganization or insider threat team.Enquiries: Who or what could harm us? (e.g., hackers, floods,careless workers).Examples of Threats: External Threats, Internal Threats,Unstructured Threats, Structured Threats.THREAT IDENTIFICATIONIDENTIFY RISK IDENTIFICATION (CONT.)201
5.1 RISK IDENTIFICATION, RISK ANALYSIS,AND RISK MANAGEMENTDefinition: Identifying weaknesses or gaps in your systems,processes, or security measures that threats can exploit. Avulnerability is a weakness in an IT system that can be exploited byan attacker to deliver a successful attack. They can occur throughflaws, features or user error, and attackers will look to exploit anyof them, often combining one or more, to achieve their end goal.Enquiries: Where are we weak? (e.g., outdated software, nobackups).Examples of Vulnerabilities: Outdated software with known securityflaws, Poorly configured firewalls or network settings, Lack ofemployee training on phishing attacks, Inadequate physical securityforserver rooms.VULNERABILITIESIDENTIFY RISK IDENTIFICATION (CONT.)202
TEST YOUR KNOWLEDGEWhy is Information Assurance (IA) important fororganizations?A. It only helpsin detecting cyber threats after they occur.B. It ensuresreliable data for decision-making andcompliance with regulations.C. It focuses only on protecting personal employee data.D. It preventssoftware bugs and improvessystem performance.Which of the following best describes RiskIdentification?A. Identifying and listing all valuable assetsin an organization.B. Detecting the exact time and date of a cyberattack before it happens.C. Identifying potential risksthat could affect the organization's assets.D. Determining the cost ofsecurity measuresfor an organization.203
ANSWERSWhy is Information Assurance (IA) important fororganizations?A. It only helpsin detecting cyber threats after they occur.B. It ensuresreliable data for decision-making andcompliance with regulations.C. It focuses only on protecting personal employee data.D. It preventssoftware bugs and improvessystem performance.Which of the following best describes RiskIdentification?A. Identifying and listing all valuable assetsin an organization.B. Detecting the exact time and date of a cyberattack before it happens.C. Identifying potential risksthat could affect the organization's assets.D. Determining the cost ofsecurity measuresfor an organization.204
CONFIDENTIALITYINTERGRITYAVAILABILITYAUTHENTICATIONNON-REPUDIATIONINFORMATIONASSURANCE5.2 INFORMATION ASSURANCEMANAGEMENTIDENTIFY THE 5 PILLARS OFINFORMATION ASSURANCEDEFINITION: These pillars provide a framework for ensuring the security,trustworthiness, and reliability of information systems.PURPOSE: These pillars ensure comprehensive security by addressingdifferent aspects of information protection.EXAMPLE: Keep it private, make sure it’s accurate, always available,verify who’s accessing it, and ensure actions are traceable.205
5.2 INFORMATION ASSURANCEMANAGEMENTIDENTIFY THE 5 PILLARS OFINFORMATION ASSURANCE(CONT.)CONFIDENTIALITYPreserving authorized restrictions on information access & disclosure, e.gprotecting personal privacy & proprietary information.INTERGRITYGuarder against improper information modification or destruction andincludes ensuring information non-repudiation & authenticity.AVAILABILITYEnsuring timely and reliable access to and use of information byauthorized users.AUTHENTICATIONThe process of determining whether someone or something is, in fact,who or what it declaresitself to be.NON-REPUDIATIONThe assurance thatsomeone cannot deny the validity ofsomething.206
5.2 INFORMATION ASSURANCEMANAGEMENTDESCRIBE PLAN DO CHECK ACT (PDCA) MODELDEFINITION: The PDCA model is a cyclical methodology for continuousimprovement in managing and securing information systems.PURPOSE: The PDCA model helps organizations stay adaptable by continuouslyrefining theirsecurity measures.EXAMPLE: Plan what to do, do it, check if it works, and act to fix or improve it.Plan a change ortest, aimed atimprovementCarry out thechange or test,preferably at asmallscaleStudy the results.What did welearn? What wentwrong?Adopt the change,abandon it, runthrough the cycleagain207
5.2 INFORMATION ASSURANCEMANAGEMENTDESCRIBE PLAN DO CHECK ACT (PDCA) MODEL(CONT.)PLANIdentify risks and develop strategies to mitigate them andestablishing objectives and processes necessary to deliver results inaccordance with information assurance objectives.Example:Creating a security policy to address phishing attacks.Establishing objectives and processes necessary to deliver results inaccordance with information assurance objectivesDOImplement the strategies and controls outlined in the plan.Example: Deploying firewalls, antivirussoftware, and employeetraining programsImplementing and operating the processes.CHECKMonitor and evaluate the effectiveness of the implementedstrategies.Example:Conducting audits or penetration teststo identify gaps.Monitoring and reviewing processes against information assurancepolicies and objectives.ACTMake improvements based on the findings from the \"Check\" phaseby taking corrective and preventive actions to improve theeffectiveness and efficiency of information assurance processes.Example: Updating the security plan to address newly discoveredvulnerabilities.Taking corrective and preventive actions to improve theeffectiveness and efficiency of information assurance processes.208
TEST YOUR KNOWLEDGEWhat is the primary purpose of the Plan-Do-CheckAct (PDCA) model in information assurance?A. To create a one-time security plan that does not require updates.B. To ensure a continuousimprovement cycle in security processes.C. To focus only on risk identification without taking action.D. To replace all existing security frameworks with a new model.In the Plan-Do-Check-Act (PDCA) model, whichphase involves monitoring and evaluating theeffectiveness ofsecurity measures?A. PlanB. DoC.CheckD. Act209
ANSWERSWhat is the primary purpose of the Plan-Do-CheckAct (PDCA) model in information assurance?A. To create a one-time security plan that does not require updates.B. To ensure a continuousimprovement cycle in security processes.C. To focus only on risk identification without taking action.D. To replace all existing security frameworks with a new model.In the Plan-Do-Check-Act (PDCA) model, whichphase involves monitoring and evaluating theeffectiveness ofsecurity measures?A. PlanB. DoC.CheckD. Act210
L AWSR E G U L AT I O N SA law is a system of rules created and enforced by a governingauthority, such as a government or parliament, to regulate behaviorand maintain order within a society.Broad, overarching rules set by the legislative body (e.g.,parliament, congress).A regulation is a specific rule or guideline created by a governmentagency or regulatory body to enforce the laws passed by thegovernment.Detailed rules or standards created by regulatory bodies toimplement or enforce specific laws.5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGYDESCRIBE LAWS AND REGULATIONS211
DESCRIBE LAWS AND REGULATIONS (CONT.)ComputerlawsAlso known asCyberLaws.Laws governing the use of computers and computersystems.Aims to protect individual’s privacy, preventcybercrimes, and ensure online security.Laws regulating the collection, use, and disseminationof personal data.Personal Data Protection Act (PDPA) prohibits datausers from collecting and processing a data subject’spersonal data without his or her consent.IntellectualpropertylawsLaws protecting creations of the mind (e.g., patents,copyrights, trademarks, and trade secrets).Intellectual Property (IP) law deals with laws to protectand enforce rights of the creators and owners ofinventions, writing, music, designs, and other works.PrivacylawsInternationallaws and actsAgreements and conventions governing informationsecurity and data protection globally.International law encompasses many areas, includinghuman rights, disarmament, transnational organizedcrime, refugees, migration, statelessness, the treatmentof prisoners, the use of force, the conduct of war, theenvironment, sustainable development, the oceans,outerspace, global communications and world trade.5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGY212
CATEGORY PURPOSE EXAMPLESCOMPUTERLAWSLegal frameworks aimed at regulating theethical use of computer systems andpreventing cybercrime. They addressactivities like hacking, malware creation, andunauthorized system access.CFAA (USA), ComputerCrimes Act (Malaysia)INTELLECTUALPROPERTYLAWSThese laws protect the rights of creators overtheir inventions, ideas, and creative works. Inthe context of cybersecurity, they ensure thatdigital products, such as software andmultimedia content, are not stolen ormisused.DMCA (USA), MyIPO(Malaysia)PRIVACY LAWSPrivacy laws regulate how personal data iscollected, stored, and used, ensuringindividuals' rights to control their owninformation.GDPR (EU), PDPA(Malaysia)INTERNATIONALLAWS AND ACTSInternational laws aim to create frameworksfor global cooperation in fighting cyberthreats. Enable global cooperation to addresscross-border cybercrime.Budapest Convention,ITU Standards, UNICEFDESCRIBE LAWS AND REGULATIONS (CONT.)5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGY213
5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGYSECURITY AWARENESS AND TRAININGSecurity Awareness and Training is a crucial aspect of anorganization’sinformation assurance strategy.It ensures that employees and users understand security risks andknow how to protect the organization’sinformation systems.Implementing programs to educate employees about securitypolicies, procedures, and best practices.Training users to recognize and respond to security threats andincidents effectively, Internal Threats, Unstructured Threats,Structured Threats.SECURITY AWARENESSAND TRAINING214
Human Error is a MajorCause of Security Breaches:Most security incidents occur due to human errors such as clicking onphishing emails, using weak passwords, or mishandling sensitivedata. Proper training helps to mitigate these risks by educatingemployees on how to recognize threats and follow security policies.Creating a Security-ConsciousCulture:By raising awareness, organizations foster a culture of securitywhere employees understand the importance of safeguardinginformation assets and are motivated to follow security protocols.Compliance with Regulations:Many industries and regulations require organizations to implementregular security awareness and training programs to ensurecompliance.IMPORTANCE OF SECURITYAWARENESS AND TRAINING5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGYSECURITY AWARENESS AND TRAINING (CONT.)215
Security policies and proceduresTraining programs should start with educating employees on theorganization's specific security policies and procedures. This includesguidelines for handling sensitive data, password management, reportingincidents, and using company resourceslike emails and internetsecurely.Recognizing security threatsEmployees are taught how to identify potential threatssuch as:1.Phishing attacks: Recognizing suspicious emails or messages trying to stealcredentials.2.Social engineering: Awareness of manipulation tactics used by attackers togain accessto sensitive information.3.Malware: Understanding the signs of a system being infected withmalicioussoftware.Incident response trainingTraining programs should also cover how employees should respond topotentialsecurity incidents, including:1.Reporting suspicious activity to IT orsecurity teams.2.Stepsto take in case of a suspected breach or malware infection.3.Knowing when to escalate issuesto higher levels of authority.KEY COMPONENTS OF SECURITY AWARENESSAND TRAINING PROGRAMS5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGYSECURITY AWARENESS AND TRAINING (CONT.)216
Regular training and updatesSecurity awareness is not a one-time event. Ongoing training,regular updates on emerging threats, and refresher courses ensureemployees stay vigilant. Simulated phishing campaigns and quizzescan be used to test employee knowledge.Tailored to different rolesNot all employees face the same level of risk. Training should betailored based on employees' roles:1.General Staff: Basic awareness of phishing, password management,and safe internet practices.2.IT and Security Staff: Advanced training on identifying andresponding to sophisticated cyber threats.3.Executives: Focus on high-level risks like targeted spear-phishingattacks or insider threatsKEY COMPONENTS OF SECURITY AWARENESS ANDTRAINING PROGRAMS (CONT.)5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGYSECURITY AWARENESS AND TRAINING (CONT.)217
Reduction in Security Breaches: Employees who are aware of therisks and how to handle them are lesslikely to fall victim to attacks.Enhanced Incident Response: When employees know how to quicklyrespond to security incidents, the impact of breaches can beminimized.Regulatory Compliance: Maintaining up-to-date training helpsorganizations meet regulatory requirements, reducing the risk offines or legal actions.BENEFITS OF EFFECTIVE SECURITY AWARENESSAND TRAINING5.3 PRACTICES, REGULATIONS AND PLANINFORMATION ASSURANCE STRATEGYSECURITY AWARENESS AND TRAINING (CONT.)218
TEST YOUR KNOWLEDGEWhy do organizations implement security awarenessand training programs?A. To comply with industry regulations and security standardsB. To allow employeesto freely browse social media at workC. To replace security technologieslike firewalls and antivirusD. To train employees only once and never update policiesWhat is the primary difference between a law anda regulation?A.Laws are created by regulatory agencies, while regulations are madeby legislative bodies.B.Laws provide broad principles, while regulations define specific rulesto enforce those laws.C.Laws only apply to businesses, while regulations apply to individuals.D.Lawschange frequently, while regulationsremain constant.219
ANSWERSWhy do organizations implement security awarenessand training programs?A. To comply with industry regulations and security standardsB. To allow employeesto freely browse social media at workC. To replace security technologieslike firewalls and antivirusD. To train employees only once and never update policiesWhat is the primary difference between a law anda regulation?A.Laws are created by regulatory agencies, while regulations are madeby legislative bodies.B.Laws provide broad principles, while regulations define specific rulesto enforce those laws.C.Laws only apply to businesses, while regulations apply to individuals.D.Lawschange frequently, while regulationsremain constant.220
CHAPTER 55.4 EXERCISES221
FUN EXERCISE222
TESTTEST YOURSELF223
FUN TEST224
REFERENCES1.Arthur, W. M., & Conklin, C. (2021). CompTIA Security+ certification all-inone exam guide (6th ed.; Exam SY0-601). McGraw-Hill Professional. (ISBN978-1260460099)2.Cisco Networking Academy. (n.d.). Cybersecurity essentials. NetAcad.Retrieved from https://www.netacad.com/courses/cybersecurityessentials?courseLang=en-US3.Cisco Networking Academy. (n.d.). Introduction to cybersecurity. NetAcad.Retrieved from https://www.netacad.com/courses/introduction-tocybersecurity? courseLang=en-US4.David, D., Kim, K., Michael, M., & Solomon, G. (2021). Fundamentals ofinformation systems security (4th ed.). Jones & Bartlett Learning. (ISBN978-1284220735)5.Heimdal Security. Cyber security for beginners [PDF]. Retrieved fromhttps://heimdalsecurity.com/pdf/cyber_security_for_beginners_ebook.pdf6.Ioannou, N. (2025). Internet security fundamentals (10th anniversary ed.)[eBook].7.Joanna Lyn, J., & Grama, G. (2022). Legal and privacy issues in informationsecurity (3rd ed.). Jones & Bartlett Learning. (ISBN 978-1284207804)8.Kutub, K., Thakur, T., Khan, K., & Pathan, P. (2020). Cybersecurityfundamentals: A real-world perspective (1st ed.). Taylor & Francis Group.(ISBN 978-0367476489)9.Reuvid, J. (Ed.). (2019). Be cyber secure. Legend Press Ltd. (Print ISBN9781789550504; eBook ISBN 9781789550498)10.Uttarakhand Open University. (n.d.). Introduction to cyber security [PDF].Retrieved November 21, 2025, from Arthur, W. M., & Conklin, C. (2021).CompTIA Security+ certification all-in-one exam guide (6th ed.; Exam SY0-601). McGraw-Hill Professional. (ISBN 978-1260460099)225
Siti Nur Edayu binti Hashim is currently workingas a Lecturer for Diploma in InformationTechnology under Networking System Track inDepartment of Information and CommunicationTechnology, Sultan Idris Shah Polytechnic. Herinterests include digital forensic, networksecurity, cybersecurity operations, cyber defence,penetration testing, server administration.Noor Aishah binti Zainiar is currently working as aLecturer for Diploma in Information Technologyunder Networking System Track in Department ofInformation and Communication Technology,Sultan Idris Shah Polytechnic. Her interestsinclude wireless network technologies, networksecurity, and cybersecurity operations, web andmobile security, and penetration testing.AUTHORS BACKGROUND226
In today’s digital age, cybersecurity is no longer a luxury, it is a necessity.Cybersecurity Fundamentals provides readers with an essential guide tounderstanding the core principles of cybersecurity, covering key topicssuch as types of cyber threats, common attack methods, best protectionpractices, and the importance of cybersecurity awareness in daily life.This eBook is designed for anyone eager to strengthen their digitalsecurity knowledge, especially polytechnic students looking to build astrong foundation in protecting themselves from the growing wave ofcyber attacks. With a balanced approach that combines theory, practicalexercises, and real-world case studies, it equips readers with the toolsand strategies needed to address and prevent digital threats effectively.Whether you're new to the field or seeking to refresh your understanding,Cybersecurity Fundamentals offers valuable insights into creating a saferand secure digital environment for individuals and organizations alike.Protect yourself, enhance your cybersecurity knowledge, and help createa safer digital world with this comprehensive guide.CCYYBBEERRSSEECCUURRIITTYYFUNDAMENTALSPublished by:Politeknik Sultan Idris ShahSungai Lang, 45100 Sungai Air TawarSelangor Darul Ehsan.03-3280 6200www.psis.mypolycc.edu.my