





































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Assignment 2 - Security (1623) - Grade D
Typology: Study Guides, Projects, Research
1 / 77
This page cannot be seen from the preview
Don't miss anything!






































































Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Phan Nhat Linh Student ID GCD Class GCD0905 Assessor name Tran Trong Minh Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Linh Grading grid
Grade: Assessor Signature: Date: Lecturer Signature:
I/ DISCUSS RISK ASSESSMENT PROCEDURES (P5)
Figure 1 : What is security Risk Assessment? A security risk assessment finds, evaluates, and applies important application security measures. It is also concerned with preventing application security flaws and vulnerabilities. A risk assessment enables an organization to examine its application portfolio holistically—from the perspective of an attacker. It assists managers in making educated decisions about resource allocation, tools, and security control implementation. As a result, completing an assessment is an essential component of an organization's risk management strategy.
a. Define the requirements
Vulnerabilities and threats come in a variety of shapes and sizes. Make a list of potential dangers to the organization's data's confidentiality, integrity, and availability. Examine current constraints to prevent duplicating unnecessary operations. c. Analyze risks Figure 3 : Analyze risks Typically, risk analysis comprises understanding how a threat may present itself, which demands recognizing a weakness in your assets as well as a threat that might exploit that vulnerability. You should be able to assign a score or value to each security event you identify and evaluate the likelihood of a threat exploiting it. Returning to the risk scale, human, financial, legal, regulatory, reputational, and operational issues can all have an impact on the threat's impact, while likelihood factors include frequency of occurrence, previous occurrences, current levels of security control, attack group size, and vulnerability knowledge. Below is a risk treatment with the likelihood (LHO) and business effect (BI) stated in the previous phases. A final grade assists in addressing and treating the hazards of the company. d. Evaluate risks Your company's risk assessment software should automatically gather the results of your risk analysis, compute where each risk falls on the risk scale, and determine whether the risk falls within your predetermined level of acceptable risk. You should be able to quickly identify your most critical risks and, as a result, prioritize which ones to address first. e. List risk treatment options
After analyzing and prioritizing risks, companies should respond based on existing controls. There are a variety of therapy methods available, including the following: ➢ Accept the risk: This is normally achieved by implementing security controls that reduce the risk's likelihood or effect. ➢ Reduce the risk: You can either accept the risk if it fulfills your risk acceptance criteria, or you can decide that it requires special decisions. ➢ Risk is typically transferred through insurance or outsourcing. Although a breach will almost always hurt your company, you can share the risk with someone who is better suited to mitigate the damage. ➢ Terminate the risk: Your organization can take efforts to eliminate the risk-causing behavior or event. f. Visit on a regular basis Risk assessments are carried out using the plan-do-check-act (PDCA) method. Risks will continue to emerge, change, and vanish. Companies should evaluate the risk assessment on a regular basis, taking into consideration all of the aspects defined in the initial step of a risk management plan. The discoveries should be communicated to the company's security forum.
Figure 5 : What’s a threat? A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party. Threats can be categorised as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental. Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction or an event that causes physical damage, such as a fire or natural disaster.
A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset. You are most likely to encounter a vulnerability in your software, due to their complexity and the frequency with which they are updated. These weaknesses, known as bugs, can be used by criminal hackers to access to sensitive information. Vulnerabilities don’t only refer to technological flaws, though. They can be physical weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your premises, or poorly written (or non-existent) processes that could lead to employees exposing information.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails; structural flaws in the premises, such as a leaky pipe near a power outlet; and communication errors, such as employees’ sending information to the wrong person.
Figure 6 : What is threat identification? The threat identification process examines IT vulnerabilities and determines their capacity to compromise your system. It’s a key element of your organization’s risk management program. Identifying threats allows your organization to take preemptive actions. You receive the information you need to obstruct unauthorized users and prevent system breaches. At Ward IT Security Consulting Group, we provide the specialized knowledge and the experience necessary for effective threat identification. Each IT system environment is unique. Some threats will in some ways be a part of a common set of threats to all organizations with public-facing web portals. Other vulnerabilities may be specific only to your organization. That’s why we work collaboratively with your staff and begin our evaluation with an in-depth understanding of your organization and operations. ➢ Analyzing and understanding the particular threat portfolio specific to your organization and its operation. ➢ Effectively prioritizing the evaluation of your system vulnerabilities. ➢ Determining how those vulnerabilities may be exploited by a specific threat actor or actions. ➢ Providing a report of findings with detailed information that allows your organization to implement preemptive risk management actions.
organization identify potential hazards and any business assets put at risk by these hazards, as well as potential fallout if these risks come to fruition. With the risk assessment process, users take a look at their organizations to:
Once you've planned and allocated the necessary resources, you can begin the risk assessment process. Proceed with these five steps. a. Step1: Identify the hazards
The first step to creating your risk assessment is determining what hazards your employees and your business face, including: ➢ Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.) ➢ Biological hazards (pandemic diseases, foodborne illnesses, etc.) ➢ Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.) ➢ Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.) ➢ Technological hazards (lost Internet connection, power outage, etc.) ➢ Chemical hazards (asbestos, cleaning fluids, etc.) ➢ Mental hazards (excess workload, bullying, etc.) ➢ Interruptions in the supply chain Examine your workplace to identify what procedures or actions might be harmful to your company. Include all areas of employment, such as remote employees and non-routine tasks like repair and maintenance. You should also review accident/incident records to discover what dangers have already harmed your firm. Try our free template below to divide down tasks into possible dangers and assets at risk. Figure 7 : Hazard Identification and Analysis b. Step 2: Determine who might be harmed and how You need to identify which groups of people in your business could be harmed by physical assaults, threats, intimidation or verbal abuse. Think about all the individuals you have in your workplace at any
At this stage of your risk assessment you need to establish whether there is a significant risk of violence in your business. You can do this in a number of ways, but perhaps the easiest way initially is to speak to your staff and safety representatives about their experiences. You can also look at sickness absence figures, staff turnover, injury and illness records (particularly incidents of work-related violence), stock losses and police records. Your local police force may be prepared to release crime data for your business to help you establish how you need to tackle violence and crime in your premises. RIDDOR reports can also be a useful source of information, and crime mapping can help you decide where best to target your activities. Risk factors Licensed and retail business have, by the very nature of their business, factors which can increase the likelihood of violence occurring. These include: ➢ Handling large amounts of money or exchanging money; ➢ Your staff having face-to-face contact with customers; ➢ Opening in the evening or late at night; ➢ Dealing with customer complaints or disputes. Dealing with angry customers in disputes/complaints, eg over goods, services and refunds, allegations of short changing or cash mistakes or non-authorisation of card purchases can trigger customer embarrassment and violence. Your business may also have specific risk factors that are associated with a higher risk of violence: ➢ You have lone workers or small numbers of staff. ➢ You sell or guard high-value goods. Items may include medications, expensive merchandise or alcohol/tobacco. ➢ You sell age-restricted goods. Refusing to serve customers who are underage or are without ID, or refusing to sell alcohol after licensing hours or to those who are intoxicated, can also trigger violence. ➢ Your staff are under pressure. Exceptional workloads, inadequate stocks or staff shortages may slow employee performance and lead to delays, queues and customer impatience and hostility. ➢ Your customers have a history of violence or are likely to be under the influence of drink or drugs. ➢ Your premises are in a high-crime area. Businesses with previous experience of robbery, assaults or threats are more at risk of repeat incidents. ➢ Your business is quite isolated or you do not have many customers.
➢ Your premises have easy access/escape routes. ➢ Your business's layout/lighting is poor. For example, tills are located near doors or there is poor visibility from outside the shop to inside. ➢ You do not have any (obvious) security measures, which may suggest to potential assailants or criminals there is low risk of detection and minimum protection. Decide on precautions The next step is to decide whether there is anything more you can do. Have you reduced the risks 'so far as is reasonably practicable'? To do this you do this you will need to: ➢ Look at your existing controls to ensure they are working effectively and as intended. ➢ Consult your staff about their ideas. Employees have practical experience and insight into their workplace and therefore are a good source of information and ideas. Involving your staff will also encourage them to adopt and own the arrangements you put in place. You should include your employees by getting them to: