Assignment 2 Security - DISTINCTION, Assignments of Computer Security

In this Assignment, you will learn about computer security and get Distinction point for your assignment.

Typology: Assignments

2021/2022

Available from 11/22/2022

phan-minh-tien-fgw-dn
phan-minh-tien-fgw-dn 🇻🇳

4.7

(12)

47 documents

1 / 67

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Phan Minh Tiến
Student ID
GCD201914
Class
GCD1001
Assessor name
Trần Trọng Minh
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Tiến
Grading grid
P6
P7
P8
M3
M4
M5
D2
D3
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43

Partial preview of the text

Download Assignment 2 Security - DISTINCTION and more Assignments Computer Security in PDF only on Docsity!

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing

Unit number and title Unit 5: Security

Submission date Date Received 1st submission

Re-submission Date Date Received 2nd submission

Student Name Phan Minh Tiến Student ID GCD

Class GCD1001^ Assessor name Trần^ Trọng Minh

Student declaration

I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice.

Student’s signature Tiến

Grading grid

P5 P6 P7 P8 M3 M4 M5 D2 D

❒ Summative Feedback: ❒ Resubmission Feedback:

Grade: Assessor Signature: Date:

Lecturer Signature:

VIII. THE ROLES OF STAKEHOLDERS IN ORGANIZATION TO IMPLEMENT SECURITY AUDIT RECOMMENDATIONS (M5)

  • I. INTRODUCTION
  • II. RISK ASSESSMENT PROCEDURES (P5)
      1. Definition of Risk and Risk assessment
      • a. Risk
      • b. Risk assessment
      1. Asset, threat, and threat identification procedure
      • a. Asset
      • b. Threat
      • c. Threat identification procedure.........................................................................................................................
      1. The risk assessment procedure
      1. Risk identification steps
  • III. THE ISO 31000 RISK MANAGEMENT METHODOLOGY AND ITS APPLICATION IN IT SECURITY (M3)
      1. ISO risk management overview
      1. Standard of ISO 31000 risk management
      1. Principles of ISO 31000 risk management process
      1. ISO 31000 implementing the risk management process
      1. Application of ISO 31000 in organization
      1. Benefits of ISO
      1. ISO APPLY FOR WHEELIE GOOD COMPANY
  • IV. DATA PROTECTION PROCESSES AND REGULATION AS APPLICABLE TO AN ORGANIZATION (P6)
      1. Definition of data protection...............................................................................................................................
      1. Data protection process with relations to organization
      • a. Principles of data protection
      • b. Steps of data protection process.....................................................................................................................
      • c. Data Protection Methods
      • d. Data loss prevention (DLP)
      • e. Policy management
      1. The importance of data protection and regulations
  • V. POSSIBLE IMPACT TO ORGANIZATIONAL SECURITY RESULTING FROM AN IT SECURITY AUDIT (M4)....................
      1. Definition of IT security audit
      1. Types of security audit
      1. Impact of IT security audit
      1. Benefit of IT security audit
  • VI. DESIGN AND IMPLEMENT A SECURITY POLICY FOR AN ORGANIZATION (P7)
      1. Definition of security policy
      1. The implementation of security policies security as follows:
      1. The steps to design a policy.................................................................................................................................
      1. Design a policy for “Wheelie Good”
  • INCLUSION (P8)............................................................................................................................................................ VII. THE MAIN COMPONENTS OF AN ORGANIZATION DISASTER RECOVERY PLAN, JUSTIFYING THE REASONS FOR
      1. Business continuity
      1. The components of disaster recovery plan
      1. The steps required in disaster recovery process
      1. Some of the policies and procedures that required for business continuity
      1. Stakeholder definition and their roles.................................................................................................................
  • IMPACT OF ANY MISALIGNMENT (D2) IX. CONSIDER HOW IT SECURITY CAN BE ALIGNED WITH ORGANIZATIONAL POLICY, DETAILING THE SECURITY
      1. What is Organizational Policy?
      1. Detailing the security impact of any misalignment.
  • X. EVALUATE THE SUITABILITY OF THE TOOLS USED IN AN ORGANIZATIONAL POLICY (D3)
  • REFERENCES
  • Figure 1: Risk Table of Figure
  • Figure 2: Risk Assessment
  • Figure 3: Risk assessment steps
  • Figure 4: The ISO 31000 risk management..................................................................................................................
  • Figure 5: The ISO 31000 risk management..................................................................................................................
  • Figure 6: Data protection
  • Figure 7: Security Audit
  • Figure 8: Security Policy...............................................................................................................................................
  • Figure 9: Implementing an Information Security Management System
  • Figure 10: Configure ACL on Router
  • Figure 11: Examples of security policies......................................................................................................................
  • Figure 12: RogueScanner
  • Figure 13: SoftPerfect Network Scanner
  • Figure 14: Avast Home Edition
  • Figure 15: Attack Trace
  • Figure 16: SSL Cipher Suiter Order
  • Figure 17: Local Security Policy
  • Figure 18: Set up a computer lock policy
  • Figure 19: Secure FTP server with SSL / TLS with FileZilla Server
  • Figure 20: Evernote
  • Figure 21: Trello...........................................................................................................................................................
  • Figure 22: Google Docs
  • Figure 23: Microsoft outlook
  • Figure 24: Skype
  • Table 1: Networking Server Room Policy Table of Table
  • Table 2: Roles of Stakeholders
  • Table 3: Example of misalignment Categories

Figure 1: Risk

b. Risk assessment

A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities.

Figure 2: Risk Assessment

Conducting a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and

security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process

2. Asset, threat, and threat identification procedure

a. Asset

An asset is any data, device or other component of an organization’s systems that is valuable – often because it contains sensitive data or can be used to access such information. For example, an employee’s desktop computer, laptop or company phone would be considered an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets. An organization’s most common assets are information assets. These are things such as databases and physical files – i.e., the sensitive data that you store.

b. Threat

A threat is any incident that could negatively affect an asset – for example, if it is lost, knocked offline or accessed by an unauthorized party. Threats can be categorized as circumstances that compromise the confidentiality, integrity, or availability of an asset, and can either be intentional or accidental. Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction, or an event that causes physical damage, such as a fire or natural disaster

c. Threat identification procedure

The threat identification process examines IT vulnerabilities and determines their capacity to compromise the system. It is a key element of the organization’s risk management program. Identifying threats allows organizations to take preemptive actions. The organization receives the information need to obstruct unauthorized users and prevent system breaches.

In the threat identification procedure, each of the threats identified so far has the potential to attack any of the assets protected. This will quickly become more complex and overwhelm the business plan. Therefore, to make this part of the process manageable, each step in the threat identification and the vulnerability identification process is managed separately and then coordinated at the end of the process.

3. The risk assessment procedure

With the risk assessment process, users take a look at their organizations to:

Identify the hazards

The first step to creating your risk assessment plan is determining what hazards your employees and your business face, including:

 Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.)  Biological hazards (pandemic diseases, foodborne illnesses, etc.)

 Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.)  Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.)  Technological hazards (lost Internet connection, power outage, etc.)  Chemical hazards (asbestos, cleaning fluids, etc.)  Mental hazards (excess workload, bullying, etc.)  Interruptions in the supply chain

Take a look around your workplace and see what processes or activities could potentially harm your organization. Include all aspects of work, including remote workers and non-routine activities such as repair and maintenance. You should also look at accident/incident reports to determine what hazards have impacted your company in the past.

Determine who might be harmed and how

As you look around your organization, think about how your employees could be harmed by business activities or external factors. For every hazard that you identify in step one, think about who will be harmed should the hazard take place.

Evaluate the risks and take precautions

Now that you have gathered a list of potential hazards, you need to consider how likely it is that the hazard will occur and how severe the consequences will be if that hazard occurs. This evaluation will help you determine where you should reduce the level of risk and which hazards you should prioritize first.

Record your findings

If you have more than five employees in your office, you are required by law to write down your risk assessment process. Your plan should include the hazards you’ve found, the people they affect, and how you plan to mitigate them. The record—or the risk assessment plan—should show that you:

 Conducted a proper check of your workspace

 Determined who would be affected  Controlled and dealt with obvious hazards  Initiated precautions to keep risks low  Kept your staff involved in the process Review assessment and update if necessary

Your workplace is always changing, so the risks to your organization change as well. As new equipment, processes, and people are introduced, each brings the risk of a new hazard. Continually review and update your risk assessment process to stay on top of these new hazards.

4. Risk identification steps

There are five core steps within the risk identification and management process:

Risk Identification: The purpose of risk identification is to reveal what, where, when, why, and how something could affect a company’s ability to operate.  Risk Analysis: This step involves establishing the probability that a risk event might occur and the potential outcome of each event.  Risk Evaluation: Risk evaluation compares the magnitude of each risk and ranks them according to prominence and consequence. Whichever event is determined to have a higher probability of happening and causing damage, it would rank higher.  Risk Treatment: Risk treatment is also referred to as Risk Response Planning. In this step, risk mitigation strategies, preventative care, and contingency plans are created based on the assessed value of each risk.  Risk Monitoring: Risk management is a non-stop process that adapts and changes over time. Repeating and continually monitoring the processes can help assure maximum coverage of known and unknown risks.

III. THE ISO 31000 RISK MANAGEMENT METHODOLOGY

AND ITS APPLICATION IN IT SECURITY (M3)

1. ISO risk management overview

ISO 31000 is an international standard published in 2009 that provides principles and guidelines for effective risk management. It outlines a generic approach to risk management, which can be applied to different types of risks (financial, safety, project risks) and used by any type of organization. The standard

3. Principles of ISO 31000 risk management process

 Creates value  Integral part of organizational processes  Part of decision making  Explicitly addresses uncertainty  Systematic, structured and timely  Based on the best available information  Tailored  Takes human and cultural factors into account  Transparent and inclusive  Dynamic, iterative and responsive to change  Facilitates continual improvement and enhancement of the organization

4. ISO 31000 implementing the risk management process

The organization’s risk management process should involve the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk.

Figure 5: The ISO 31000 risk management

The main purpose of the risk management process is to enable the organization to assess the existing or potential risks that may be faced, evaluate the risks by comparing the risk analysis results with the established risk criteria, and treat such risks using the risk treatment options. The organization should use such process in the decision-making process. The fundamental processes that need to be developed which make up the full risk management process are:  Establishing the context : When establishing the context, the organization needs to consider the organization’s external environment (political, social, etc.) and internal environment (objectives, strategies, structures, ethics, discipline, etc.). The organization’s context must be understood before the full range of risks can be identified. While establishing the context, the organization should define the purpose and scope of its risk management activities and determine the objectives of the risk management process and the specific objectives of risk assessment. Furthermore, the organization should define the scope and boundaries related to the risk management process and identify all the constraints that affect the scope. After identifying the constraints, the organization should define the risk criteria which will be used during the whole process. This is the key consideration that most security risk management practitioners fail to understand. We need to fully appreciate the internal organizational makeup and the business objectives to be achieved or maintained if we are to build an effective plan. The external environment where the organization operates is just as important to understand to. Having a fully informed picture of all upstream and downstream stakeholders will provide a richer contextual foundation upon which to build a strong treatment plan and define the risk criteria that reflects the organizations values and objectives.  Risk identification : The identification of risks should be a formal, structured process that includes risk sources, events, their causes and their potential consequences. Simply said, risk identification is about the creation of a comprehensive list of risks (both internal and external) that the organization faces and can involve input from sources such as historical data, theoretical analysis, expert options, and stakeholder’s needs. The risk identification process enables the organization to identify its assets, risk sources, risk events, existing measures and consequences. By identifying such elements, the organization will be ready to begin the risk analysis process.  Analysis risk : The organization should analyze each risk that was identified in the previous step. Based on the level of risk that is determined after the risk analysis, the organization can define whether the risk is acceptable or not. As so, if the risk turns out to be unacceptable, the organization can take actions to modify the risk to correspond to the acceptable level of risk. The organization should use a formal technique to consider the consequence and likelihood of each risk, and these techniques can be qualitative, semi-quantitative, quantitative, or a combination thereof, based on the circumstances and the intended use.

owners, control assurance, taking on board new information that becomes available, and learning lessons about risks and controls from the analysis of successes and failures.

5. Application of ISO 31000 in organization

While all organizations manage risk to some degree, ISO 31000 establishes the eleven principles that need to be met for effective risk management outlined above. The principles provide guidance on the following:

 The rationale for managing risk effectively (e.g., risk management creates and protects value).  The characteristics of risk management that enable risk management to be effective, e.g., second principle, which specifies that risk management is an integral part of all organizational processes.

In ISO 31000, each principle is summarized in a few words by its heading, with the supporting text providing explanation and detail. All eleven principles should be considered when designing the organization’s risk management objectives. However, the significance of individual principles may vary according to the part of the framework under consideration and tailored to their specific application. The successful implementation of these principles will determine both the effectiveness and efficiency of risk management in the organization. All eleven principles should be kept in mind at all times, even though the significance of individual principles may vary according to the part of the framework under consideration. Although the principles are expressed succinctly, the implications of each need to be thoroughly understood in order to give effect to them on a continuing basis. Afterward, the results of this kind of analysis should be reflected in the design or enhancement of the framework (e.g., in the allocation of accountabilities, provision of training, communication with stakeholders, and the design of ongoing monitoring and review of risk management performance).

6. Benefits of ISO 31000

 Actively improve operational efficiency and governance.  Build stakeholder confidence in your use of risk techniques.  Apply management system control to risk analysis to minimize losses.  Improve management system performance and resilience.  Respond to change your efficiency and protect your business as you grow

7. ISO APPLY FOR WHEELIE GOOD COMPANY

Scope of application of the project

Focus on fully applying according to system requirements ISO 31000 in departments and production units: Human Resources Department, Department Administration, Testing Room, Logistics Department of Workshop making bicycle parts for "Wheelie good" company. Method and content of project implementation work. Methods of implementation: The implementation method is mainly based on practice, steps performed below is largely concerned with the initial assessment, corporate training, the practice of risk management systems, performance evaluation and improvement. The theoretical basis of this method is PDCA cycle (plan; do; check/evaluate; improve) next). In this method, the project team is directly business representatives practice improvement tools in place, measure practice results before and after improvement to determine the level of improvement quantitative progress. Implementation content Step 1. Contact with businesses and assess the situation survey Business activities:

  • Drafting survey and evaluation program contents and programs.
  • Contact with Business Leaders, identify commitments and deployment scope.
  • Conduct audits according to “ISO 31000 Practice Assessment Table” built.
  • Make a specific plan to guide the implementation.
  • Prepare relevant documents and arrange functional departments ability to work with consultants.
  • Consider the implementation conditions.
  • Business leaders consider giving suggestions on specific directions implementation guide. Step 2. Establish working groups/Implementation boards
  • Guidance on setting up the Project Executive Board according to the selected topic select in step 1.
  • Select appropriate members to join the project management board.
  • Establish project management board, develop structure and regulations work coordination Step 3. Awareness training and practice of risk management system according to ISO 31000
  • Prepare appropriate curriculum/training aids.
  • Make a list of key subjects participating in the training course and organizing training courses. Step 4. Guidelines for developing a risk management framework include: SWOT Analysis Table (strengths, weaknesses, opportunities and threats); Risk management policies, objectives and procedures; Risk assessment sheet, detailed plans, etc:
  • Make a table of the division of responsibilities of each group and unit, departments involved in drafting required documents.
  • Guide businesses to write related documents.
  • Key officials participated in the development of documents at the request of Risk management system under the supervision of consultants according to a specific plan may be proposed by consultants.
  • Adjust the document in accordance with the requirements of the Risk Management system.
  • The risk management system according to ISO 31000 is applied to the whole company possible departments of the Wheelie Good Company, but in the process implementation The company has focused on a number of key parts to implement implemented in accordance with the requirements of ISO 31000. During implementation, The Company has identified and identified 17 significant risks to focus on tracking and processing. The results of risk treatment are assessed as follows:
  • 12/17 risks (accounting for 70.5%) have been reduced compared to before applying ISO 31000 according to statistics.
  • 4/17 risks (accounting for 23.5%) have not yet implemented treatment solutions workshop risk (3 risks), Laboratory (1 risk).
  • 1/17 of risks (accounting for 6%) have implemented risk treatment solutions but not minimized.

IV. DATA PROTECTION PROCESSES AND REGULATION AS

APPLICABLE TO AN ORGANIZATION (P6)

1. Definition of data protection

Data protection is the process of protecting data. It involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy, and the political and legal underpinnings surrounding that data. It aims to balance individual privacy rights while still allowing data to be used for business purposes.

Figure 6: Data protection

2. Data protection process with relations to organization

a. Principles of data protection

The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data. Broadly, the seven principles are:

Lawfulness, fairness and transparency Collecting the personal data, the fairness and transparency are essential to not be used unexpectedly and must be processed lawfully when selling and/or transfer the personal data. The principal key of the law for personal data protection is that the data must be collected and processing respecting the legal process. Purpose limitation Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the