Assignment 2 - Security (1623) - Grade D, Study Guides, Projects, Research of Computer Security

Assignment 2 - Security (1623) - Grade D

Typology: Study Guides, Projects, Research

2022/2023

Uploaded on 11/30/2022

Phan-Nhat-Linh-11
Phan-Nhat-Linh-11 🇻🇳

4.9

(108)

34 documents

1 / 77

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Phan Nhat Linh
Student ID
GCD201635
Class
GCD0905
Assessor name
Tran Trong Minh
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Linh
Grading grid
P5
P6
P7
P8
M3
M4
M5
D2
D3
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d

Partial preview of the text

Download Assignment 2 - Security (1623) - Grade D and more Study Guides, Projects, Research Computer Security in PDF only on Docsity!

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Phan Nhat Linh Student ID GCD Class GCD0905 Assessor name Tran Trong Minh Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Linh Grading grid

P 5 P 6 P 7 P 8 M 3 M 4 M 5 D 2 D 3

 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date: Lecturer Signature:

Table of Contents

  • I/ DISCUSS RISK ASSESSMENT PROCEDURES (P5)
      1. Security risk and how to do risk assessment
      1. Define assets, threats and threat identification procedures, and give examples
      1. Explain the risk assessment procedure
      1. List risk identification steps
  • (P6)................................................................................................................................................................ II/ EXPLAIN DATA PROTECTION PROCESSES AND REGULATIONS AS APPLICABLE TO AN ORGANISATION
      1. What is data protection?
      1. Principles of data protection
      1. What is the purpose of data protection?
      1. Enterprise data protection strategies
      1. How to protect the data
      1. Data protection process in company “Wheelie good”
      1. Why are data protection and security regulation important?
  • SECURITY (M3) III/ SUMMARISE THE ISO 31000 RISK MANAGEMENT METHODOLOGY AND ITS APPLICATION IN IT
      1. Object and scope of application
      1. What are ISO 31000 IT security applications in “Wheelie good”?
      1. A practical example for each of these applications
  • (M4) IV/ DISCUSS POSSIBLE IMPACTS TO ORGANISATIONAL SECURITY RESULTING FROM AN IT SECURITY AUDIT
      1. What is a security audit?
      1. Why are security audits important?
      1. When is a security audit needed?
      1. What possible impacts to organizational security resulting from an IT security audit?
  • SECURITY IMPACT OF ANY MISALIGNMENT (D2)......................................................................................... V/ CONSIDER HOW IT SECURITY CAN BE ALIGNED WITH ORGANIZATIONAL POLICY, DETAILING THE
      1. What are organizational policies?
    • policy and IT security? 2. What impacts of an organisational policy on IT security if there is any misalignment between the
  • VI/ DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANISATION (P7)
      1. What is security policy?
      1. Why are security policies important?
    • 3 Types of security policies
      1. Some topics to think about while developing policy
      1. Elements of an Information Security Policy..........................................................................................
      1. The steps to design a policy
      1. Security policy for company “Wheelie good”
  • REASONS FOR INCLUSION (P8) VII/ LIST THE MAIN COMPONENTS OF AN ORGANISATIONAL DISASTER RECOVERY PLAN, JUSTIFYING THE
      1. What is business continuity?
      1. Why is business continuity important?
      1. List the components of the recovery plan
      1. All the steps required in disaster recovery process
      1. Explain some of the policies and procedures that are required for business continuity.....................
  • RECOMMENDATIONS (M5) VIII/ DISCUSS THE ROLES OF STAKEHOLDERS IN THE ORGANISATION TO IMPLEMENT SECURITY AUDIT
      1. What is stakeholders?...........................................................................................................................
      1. Stakeholders roles in company “Wheelie good”
      1. Importance of Information Security Audit
      1. When is a security audit needed?
  • IX/ EVALUATE THE SUITABILITY OF THE TOOLS USED IN AN ORGANISATIONAL POLICY (D3)
      1. Microsoft OneNote
      1. Trello
      1. Google Docs
      1. Canva.....................................................................................................................................................
      1. Evernote
      1. Airtable..................................................................................................................................................
      1. Asana.....................................................................................................................................................
      1. Penzu.....................................................................................................................................................
  • References
  • Figure 1: What is security Risk Assessment? Table of Figures
  • Figure 2: Define the requirements
  • Figure 3: Analyze risks
  • Figure 4: What’s an asset?............................................................................................................................
  • Figure 5: What’s a threat?
  • Figure 6: What is threat identification?
  • Figure 7: Hazard Identification and Analysis
  • Figure 8: What is data protection?
  • Figure 9: ESG DataProtection Family Tree
  • Figure 10: Erasure coding visualization
  • Figure 11: ISO
  • Figure 12: Principles, framework and process
  • Figure 13: What is a security audit?
  • Figure 14: What are organizational policies?
  • Figure 15: What is security policy?
  • Figure 16: What is business continuity?
  • Figure 17: The policies and procedures
  • Figure 18: What is stakeholders?
  • Figure 19: Microsoft OneNote......................................................................................................................
  • Figure 20: Trello
  • Figure 21: Google Docs
  • Figure 22: Canva
  • Figure 23: Evernote
  • Figure 24: Airtable
  • Figure 25: Asana
  • Figure 26: Penzu

I/ DISCUSS RISK ASSESSMENT PROCEDURES (P5)

1. Security risk and how to do risk assessment

1.1 What is security Risk Assessment?

Figure 1 : What is security Risk Assessment? A security risk assessment finds, evaluates, and applies important application security measures. It is also concerned with preventing application security flaws and vulnerabilities. A risk assessment enables an organization to examine its application portfolio holistically—from the perspective of an attacker. It assists managers in making educated decisions about resource allocation, tools, and security control implementation. As a result, completing an assessment is an essential component of an organization's risk management strategy.

1.2 How to do a risk assessment

a. Define the requirements

Vulnerabilities and threats come in a variety of shapes and sizes. Make a list of potential dangers to the organization's data's confidentiality, integrity, and availability. Examine current constraints to prevent duplicating unnecessary operations. c. Analyze risks Figure 3 : Analyze risks Typically, risk analysis comprises understanding how a threat may present itself, which demands recognizing a weakness in your assets as well as a threat that might exploit that vulnerability. You should be able to assign a score or value to each security event you identify and evaluate the likelihood of a threat exploiting it. Returning to the risk scale, human, financial, legal, regulatory, reputational, and operational issues can all have an impact on the threat's impact, while likelihood factors include frequency of occurrence, previous occurrences, current levels of security control, attack group size, and vulnerability knowledge. Below is a risk treatment with the likelihood (LHO) and business effect (BI) stated in the previous phases. A final grade assists in addressing and treating the hazards of the company. d. Evaluate risks Your company's risk assessment software should automatically gather the results of your risk analysis, compute where each risk falls on the risk scale, and determine whether the risk falls within your predetermined level of acceptable risk. You should be able to quickly identify your most critical risks and, as a result, prioritize which ones to address first. e. List risk treatment options

After analyzing and prioritizing risks, companies should respond based on existing controls. There are a variety of therapy methods available, including the following: ➢ Accept the risk: This is normally achieved by implementing security controls that reduce the risk's likelihood or effect. ➢ Reduce the risk: You can either accept the risk if it fulfills your risk acceptance criteria, or you can decide that it requires special decisions. ➢ Risk is typically transferred through insurance or outsourcing. Although a breach will almost always hurt your company, you can share the risk with someone who is better suited to mitigate the damage. ➢ Terminate the risk: Your organization can take efforts to eliminate the risk-causing behavior or event. f. Visit on a regular basis Risk assessments are carried out using the plan-do-check-act (PDCA) method. Risks will continue to emerge, change, and vanish. Companies should evaluate the risk assessment on a regular basis, taking into consideration all of the aspects defined in the initial step of a risk management plan. The discoveries should be communicated to the company's security forum.

2.2 What’s a threat?

Figure 5 : What’s a threat? A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party. Threats can be categorised as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental. Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction or an event that causes physical damage, such as a fire or natural disaster.

2.3 What’s a vulnerability?

A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset. You are most likely to encounter a vulnerability in your software, due to their complexity and the frequency with which they are updated. These weaknesses, known as bugs, can be used by criminal hackers to access to sensitive information. Vulnerabilities don’t only refer to technological flaws, though. They can be physical weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your premises, or poorly written (or non-existent) processes that could lead to employees exposing information.

Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails; structural flaws in the premises, such as a leaky pipe near a power outlet; and communication errors, such as employees’ sending information to the wrong person.

2. 4 What is threat identification?

Figure 6 : What is threat identification? The threat identification process examines IT vulnerabilities and determines their capacity to compromise your system. It’s a key element of your organization’s risk management program. Identifying threats allows your organization to take preemptive actions. You receive the information you need to obstruct unauthorized users and prevent system breaches. At Ward IT Security Consulting Group, we provide the specialized knowledge and the experience necessary for effective threat identification. Each IT system environment is unique. Some threats will in some ways be a part of a common set of threats to all organizations with public-facing web portals. Other vulnerabilities may be specific only to your organization. That’s why we work collaboratively with your staff and begin our evaluation with an in-depth understanding of your organization and operations. ➢ Analyzing and understanding the particular threat portfolio specific to your organization and its operation. ➢ Effectively prioritizing the evaluation of your system vulnerabilities. ➢ Determining how those vulnerabilities may be exploited by a specific threat actor or actions. ➢ Providing a report of findings with detailed information that allows your organization to implement preemptive risk management actions.

organization identify potential hazards and any business assets put at risk by these hazards, as well as potential fallout if these risks come to fruition. With the risk assessment process, users take a look at their organizations to:

  • Identify processes and situations that may cause harm, particularly to people.
  • Determine how likely it is that each hazard will occur and how severe the consequences would be.
  • Decide what steps the organization can take to stop these hazards from occurring or to control the risk. It's critical to understand the distinction between dangers and risks. Anything that might cause injury, such as work accidents, crises, poisonous substances, employee conflicts, stress, and more, is considered a danger. A hazard's risk, on the other hand, is the possibility that it may cause harm. You will identify risks as part of your risk assessment strategy, but you will also quantify the risk or likelihood of the hazards occurring. The purpose of a risk assessment plan varies by industry, but in general, it is to assist businesses in preparing for and combating risk. Other objectives include:
  • Providing an analysis of possible threats
  • Preventing injuries or illnesses
  • Meeting legal requirements
  • Creating awareness about hazards and risk
  • Creating an accurate inventory of available assets
  • Justifying the costs of managing risks
  • Determining the budget to remediate risks
  • Understanding the return on investment

4. List risk identification steps

4.1 Five steps in the risk assessment process

Once you've planned and allocated the necessary resources, you can begin the risk assessment process. Proceed with these five steps. a. Step1: Identify the hazards

The first step to creating your risk assessment is determining what hazards your employees and your business face, including: ➢ Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.) ➢ Biological hazards (pandemic diseases, foodborne illnesses, etc.) ➢ Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.) ➢ Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.) ➢ Technological hazards (lost Internet connection, power outage, etc.) ➢ Chemical hazards (asbestos, cleaning fluids, etc.) ➢ Mental hazards (excess workload, bullying, etc.) ➢ Interruptions in the supply chain Examine your workplace to identify what procedures or actions might be harmful to your company. Include all areas of employment, such as remote employees and non-routine tasks like repair and maintenance. You should also review accident/incident records to discover what dangers have already harmed your firm. Try our free template below to divide down tasks into possible dangers and assets at risk. Figure 7 : Hazard Identification and Analysis b. Step 2: Determine who might be harmed and how You need to identify which groups of people in your business could be harmed by physical assaults, threats, intimidation or verbal abuse. Think about all the individuals you have in your workplace at any

At this stage of your risk assessment you need to establish whether there is a significant risk of violence in your business. You can do this in a number of ways, but perhaps the easiest way initially is to speak to your staff and safety representatives about their experiences. You can also look at sickness absence figures, staff turnover, injury and illness records (particularly incidents of work-related violence), stock losses and police records. Your local police force may be prepared to release crime data for your business to help you establish how you need to tackle violence and crime in your premises. RIDDOR reports can also be a useful source of information, and crime mapping can help you decide where best to target your activities. Risk factors Licensed and retail business have, by the very nature of their business, factors which can increase the likelihood of violence occurring. These include: ➢ Handling large amounts of money or exchanging money; ➢ Your staff having face-to-face contact with customers; ➢ Opening in the evening or late at night; ➢ Dealing with customer complaints or disputes. Dealing with angry customers in disputes/complaints, eg over goods, services and refunds, allegations of short changing or cash mistakes or non-authorisation of card purchases can trigger customer embarrassment and violence. Your business may also have specific risk factors that are associated with a higher risk of violence: ➢ You have lone workers or small numbers of staff. ➢ You sell or guard high-value goods. Items may include medications, expensive merchandise or alcohol/tobacco. ➢ You sell age-restricted goods. Refusing to serve customers who are underage or are without ID, or refusing to sell alcohol after licensing hours or to those who are intoxicated, can also trigger violence. ➢ Your staff are under pressure. Exceptional workloads, inadequate stocks or staff shortages may slow employee performance and lead to delays, queues and customer impatience and hostility. ➢ Your customers have a history of violence or are likely to be under the influence of drink or drugs. ➢ Your premises are in a high-crime area. Businesses with previous experience of robbery, assaults or threats are more at risk of repeat incidents. ➢ Your business is quite isolated or you do not have many customers.

➢ Your premises have easy access/escape routes. ➢ Your business's layout/lighting is poor. For example, tills are located near doors or there is poor visibility from outside the shop to inside. ➢ You do not have any (obvious) security measures, which may suggest to potential assailants or criminals there is low risk of detection and minimum protection. Decide on precautions The next step is to decide whether there is anything more you can do. Have you reduced the risks 'so far as is reasonably practicable'? To do this you do this you will need to: ➢ Look at your existing controls to ensure they are working effectively and as intended. ➢ Consult your staff about their ideas. Employees have practical experience and insight into their workplace and therefore are a good source of information and ideas. Involving your staff will also encourage them to adopt and own the arrangements you put in place. You should include your employees by getting them to:

  • Participate in developing and devising procedures to minimise violence risk;
  • Participate in the evaluation of any control measures;
  • Share on-the-job experiences to help other employees recognise and respond to violence. ➢ Compare yourself to current good practice, which is included in the Quick guide to control measures. ➢ Identify any further control measures necessary to reduce the risk to the lowest possible level. d. Step 4: Record your findings and implement them At this stage you should have identified measures you are already taking to keep your staff safe, as well as actions that you could take to improve things further. You need to decide how you are going to put these actions in place. Remember, it is action and not paperwork that protects people; risk assessment is a means to an end, not an end in itself. You will need to prioritise and may want to think about the following to help you work out your priorities: ➢ Can I use more than one measure? A combination of measures may be more effective than relying on just one. Can I use a mixture of both short and long-term measures that will get me both 'quick wins' and longer-term effectiveness? ➢ How will staff react to these measures? How do I demonstrate the value of the measures?