Assessing and Treating IT Security Risks, Exams of Computer science

A comprehensive overview of it security risks and the methods to assess and treat them. It covers topics such as the types of security risks organizations face, the importance of organizational security procedures, and the potential impact of it security issues like incorrect firewall configuration and vpn misuse. The document also discusses how implementing network security measures like nat and static ip can improve overall security. Additionally, it explores the impacts of it security audits on organizational security and the importance of aligning it security with organizational policies. The document delves into the application of iso 31000 in it security management and the significance of addressing misalignment between security metrics and business objectives. Overall, this document offers valuable insights and strategies for organizations to effectively assess and mitigate it security risks, ensuring the protection of their digital assets and operations.

Typology: Exams

2020/2021

Uploaded on 11/30/2022

praveen-jo
praveen-jo 🇱🇰

1 document

1 / 66

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
2022
ASSIGNMENT TO
SECURITY.
TESCO PLC.
R. RAJTHANAN.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42

Partial preview of the text

Download Assessing and Treating IT Security Risks and more Exams Computer science in PDF only on Docsity!

ASSIGNMENT TO

SECURITY.

TESCO PLC.

Acknowledgement

Achieving and achieving this outsourced work requires a great deal of guidance and support from many individuals, and we are very fortunate to be able to do this throughout the outsourced work. All I have done is to thank this guide and help, and I will never forget to thank them. We would like to pay tribute and thanks to Mr. Suresh for giving us the opportunity to do this commissioned work on time. I am very grateful for his kind support and guidance. I am grateful that I was able to do this homework in the instructor's time. This work cannot be completed without the efforts and cooperation of classmates. We would like to express our sincere gratitude for the support and cooperation of our friends, family and respondents.

IT security solution ......................................................................................................................... 18 Security issues from misconfiguration .................................................................................... 18 Effect of security misconfiguration ........................................................................................... 18 2.1. Identify the potential impact of IT security of incorrect configuration of firewall policies and third-party VPNs. ....................................................................................................................

19 Firewall ......................................................................................................................................... 19 2.1.1. Advantages of Firewall ................................................................................................... 20 2.1.2. Ways of firewall misconfiguration ................................................................................. 21 2.1.3. Misconfiguration issues of firewall ................................................................................ 21 2.1.4. VPN (Virtual Private Network) ....................................................................................... 22 2.1.5. Advantages of VPN ......................................................................................................... 22 2.1.6. Misconfiguration of VPN ................................................................................................. 22 2.2. Show, using an example for each, how implementing a DMZ, static IP and NAT in a Network Security. ........................................................................................................................... 23 2.2.1. DMZ (Demilitarized Zone) .............................................................................................. 23 2.2.2. Static IP address ............................................................................................................. 23 2.2.3. NAT (Network Address Translation) ............................................................................ 24 2.2.4. How implementing a DMZ can improve a network security...................................... 24 2.2.5. How implementing a NAT in a network can improve network security? ................. 24 2.2.6. How implementing a static Ip in a network can improve network security? ........... 24 2.3. Discuss three benefits to implement network monitoring systems with supporting

reasons. ........................................................................................................................................... 25 2.3.1. What is network monitoring system? ........................................................................... 25 2.3.2. Most important aspects of network monitoring ........................................................... 25 2.3.3. Network monitoring software and tools ........................................................................ 25 2.3.4. Benefits of network monitoring systems ...................................................................... 26 LO1 & 2. Investigate how a ‘trusted network’ may be a part of an IT security solution. ...... 27

TASK.2. What are the impacts of “Trusted Network” for IT companies? .......................... 27

2.4. Trusted Network ................................................................................................................. 27

................................................................................................................................................ ...... 27 2.4.1. Advantages of trusted network and evaluations......................................................... 28

LO3. Review Mechanisms to control organizational IT security ................................................. 30 TASK.3. Discuss what are the activities to be used by a company operating within a proper security framework? ...................................................................................................... 30 3.1. Risk assessment ..................................................................................................................... 30 3.1.1. Risk assessment procedures ........................................................................................ 31 3.2. Explain data protection processes and regulations as applicable to an organization. 33 3.2.1. Data protection Process ................................................................................................. 33 3.2.1. Importance of Data Protection Process for an organization. .................................... 34

3.2.2.Data protection principles ................................................................................................ 34

3.4.6. Protecting the organization with expert Security Audits. ........................................... 42

3.4.7. Uses of Security Audit .................................................................................................... 43 3.5. Consider how IT security can be aligned with organizational policy, detailing the security impact of any misalignment. .......................................................................................... 44 3.5.1. Policy Alignment .............................................................................................................. 44 3.5.1. Impacts of misaligned security policy ........................................................................... 44

3.5.2. Organizational Security Consequences of Misalignment ......................................... 44 3.5.3. Addressing misalignment between information security metrics and business driven security objectives .......................................................................................................... 45 3.5.4. Importance of Organizational alignment ...................................................................... 45

LO4.Manage organizational security............................................................................................... 47 4.1. Design and implement a security policy for an organization. .......................................... 47 4.1.1. What is in a policy? ......................................................................................................... 47 4.1.2. Significance of security policy ....................................................................................... 48

4.1.4. The purpose of setting up the privacy policy T Lanka (PLC) ............................... 49

4.1.4. Privacy Policy of Tesco LANKA (PLC) ............................................................................ 50 4.2. List the main components of an organizational disaster recovery plan, justifying the reasons for inclusion. ..................................................................................................................... 58 4.2.1. Disaster Recovery Plan .................................................................................................. 58 4.2.2. Recovery plan considerations ....................................................................................... 59 4.2.3. Steps to build Disaster Recovery Plan......................................................................... 60

4.3. Discuss the roles of stakeholders in the organization to implement security audit recommendations. .......................................................................................................................... 61 4.3.1. Stakeholders .................................................................................................................... 61 4.3.2. Roles of stakeholders ..................................................................................................... 62 4.4. Evaluate the suitability of the tools used in an organizational policy .............................. 63 4.4.1. Uses organizational policy tool ...................................................................................... 64 TASK 4. Discuss name of the contents that are important to the Zeepay service policy?

...................................................................................................................................................... 65

Every organization requires protection from cyber-attacks and security risks. Because cybercrime and malware are continual risks to those with an internet presence, and data failures are both time consuming and expensive, we must enlist the help of a reputable information security firm.

Figure 1 ITS Security

1.1.3. Types of the Security risks of Tesco (PLC)

TASK.1. what are the constraints of Tesco (PLC) to provide its consistent

service to their customers effectively?

Risk is the probability of risk being a potential concern that may or may not occur in the future. This is due to the lack of data control or time risk as is the case everywhere, but the slightly higher in the field of IT. In the field of IT, it is like calling a security risk. Security risk is the damage or theft of information by someone or enemy or access to a computer or personal computer without the permission of a third party. There are various types of risks, Those are:

  • Physical risk
  • Electronic risk
  • Technical risk
  • Infrastructure risk
  • Human risk

1.1.3.1. Physical risk

Physical risk of IT assets is becoming increasingly important because to the volume and value of data stored by enterprises. The major threats are natural disasters (such fire), unauthorized entry to properties, and vandalism.

Figure 2 IT Company in flood

1.1.3.2. Electrical Risk

Power surges, low power, power cuts, and high-power outages are all risks associated with power. This will result in astronomical financial consequences.

The risk of people doing what they should not do, or not doing what they should do, is described as “the danger of those who do what should not be done or those who do not do what should not be done.”

Figure 5 human risk Example: rules mistake

1.1.4. Basic risks faced by IT companies

  • System failures
  • Spam, viruses and malicious attacks
  • Human error
  • Software failure
  • Denial of service
  • Natural disasters
  • Improper use of data
  • Hacker’s problem
  • More and more companies are competing attract customers

1.2. Describe the organizational security procedures.

1.2.1. Organizational security procedures

Policies and procedures are used by organizations to define the guidelines for dealing with difficulties. Employees learn the organization's ideas and ideals on specific topics through policies and procedures, as well as what occurs if they are not followed. A security procedure is a collection of steps that must be followed in order to complete a certain security task or activity. Procedures are typically created as a series of actions that must be performed in a systematic and repeatable manner to reach a desired outcome. Security procedures, once developed, give a set of recognized mechanisms for managing the organization's security problems, allowing for training, process auditing, and process development. Increasing processes will serve as a springboard for adopting uniformity and minimizing variability in security procedures in order to maintain organizational security. Reduced variability is also a smart method to improve waste disposal quality and raise safety sector efficiency.

1.2.2. Methods to assess security risks

  1. Founding a risk management frame work.
  2. Recognize risks
  3. Analyze risks
  4. Appraise risks
  5. Select risk conduct options

Figure 6 risk management process

1.3. Propose a method to assess and treat IT security risks.

1.3.1. Human errors and IT security

Human error is an incident in which a planned activity, decision, or action reduces or can reduce quality, safety, or security. The following is an example of human error in information security.

  • Misconfiguration of the system;
  • Ineffective patch management;
  • Use of easy-to-guess passwords or default usernames and passwords;
  • Lost devices;
  • Information was leaked due to an erroneous email address.;
  • Double-clicking on an unsafe URL or accessory;
  • Distribution passwords with others

Occasionally, such flaws allow aggressors unrestricted access to framework information or utility. Occasionally, such flaws result in a whole framework compromise. The application's and information's insurance needs drive the business's sway. Most of the people using the software that makes chances to misconfigure. Such as, Insufficient firewall protection Third-party VPNs Illegal software Unpatched systems Unencrypted files Old and out of date web applications and cloud misconfiguration Unsecured devices

2.1. Identify the potential impact of IT security of incorrect configuration of firewall policies and third-party VPNs.

Firewall

A firewall is a network security device that screens and controls network traffic, permitting or disallowing data packets based on security standards Its purpose is to create a barrier between oncoming traffic from the internal network and External sources (such as the Internet) to prevent viruses and hackers from entering

the network.

To prevent attacks, firewalls use predefined rules to analyze incoming communications and filter traffic from unsecured or suspicious sources. Firewalls protect traffic through the ports of your computer, where data is shared with other devices. For example, "Source address 172.18.1.1 can interact with destination 172.18.2.1 on port 22."

Consider IP addresses and port numbers as representations of homes and rooms. Individuals who are trustworthy (source reports) are allowed to enter the house (destination address) at all; after that, people are allowed to enter the house (destination address) based on whether they are the owner, a child, or a visitor (destination address). Only trustworthy persons (source addresses) are permitted to enter the house (destination address); after that, those inside are only allowed to access certain rooms based on whether they are the owner, a child, or a visitor (destination ports). Any room in the house belongs to the owner (port).

2.1.1. Advantages of Firewall

1. Monitors network traffic The ability to track network traffic is the foundation of all firewall protection benefits. Threats to your processes can be introduced by data flowing in and out of your networks. Firewalls protect your networks by tracking and analyzing network traffic and applying pre-set rules and filters. You can monitor your degree of security depending on what you see going in and out of your firewall if you have a well-trained IT team. 2. Stop virus attacks

A virus assault will bring your digital operations to a halt quicker and more forcefully than anything else. With hundreds of thousands of new threats being created every day, it's critical that you put safeguards in place to keep your systems secure. The ability to monitor your system's entry points and avoid virus attacks is one of the most obvious advantages of firewalls. Depending on