Download Assignment 2 - Security for Passed and more Assignments Information Technology in PDF only on Docsity!
ASSIGNMENT 2 FRONT SHEET
Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date 08/08/2023 Date Received 1st submission 08/08/ Re-submission Date Date Received 2nd submission Student Name Nguyễn Văn Trường Student ID GCH Class GCH1107 Assessor name Ha Trong Thang Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Trường Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D
❒ Summative Feedback: ❒ Resubmission Feedback: Grade: Assessor Signature: Date: Lecturer Signature:
- Introduction
- Task 1 - Discuss risk assessment procedures (P5)
- I. Define a security risk and how to do risk assessment
- 1 Definition a Security Risks
- 1.2 How to do a risk assessment
- a. Define the requirements
- b. Identify risks........................................................................................................................................
- c. Analyze risks
- d. Evaluate risks
- e. List risk treatment options
- f. Visit on a regular basis.........................................................................................................................
- II. Define assets, threats and threat identification procedures, and give examples
- 2.1 What’s an asset?
- 2.2 What’s a threat?
- 2.3 What’s a vulnerability?
- 2.4 What is threat identification?
- III. Explain the risk assessment procedure
- IV. List risk identification steps
- 4.1 Five steps in the risk assessment process
- a. Step1: Identify the hazards
- b. Step 2: Determine who might be harmed and how
- c. Step 3: Evaluate the risks and take precautions
- d. Step 4: Record your findings and implement them
- e. Step 5: Review your risk assessment and update if necessary
- 4.2 What problems does a security risk assessment solve?
- Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6)
- Define data protection
- a) CIA triad
- b) AAA security model
- c) GDPR acts
- Explain data protection process in an organization
- Why are data protection and security regulation important?..........................................................
- Task 3 - Design and implement a security policy for an organisation (P7)
- 1 Define a security policy and discuss about it
- 2 Give an example for each of the policies
- a. Physical security policies
- b. Information security policies
- c. Acceptable use policy (AUP)
- d. Data breach response policy.
- e. Disaster recovery plan.
- f. Business continuity plan.
- g. Remote access policy.
- h. Access control policy.
- Give the most and should that must exist while creating a policy
- Explain and write down elements of a security policy.
- Give the steps to design a policy.
- a) Step 1: Identify your risks.
- b) Step 2: Learn from others.
- c) Step 3: Make sure the policy conforms to legal requirements.
- d) Step 4: Level of security = level of risk.
- e) Step 5: Include staff in policy development.
- f) Step 6: Train your employees.
- g) Step 7: Get it in writing
- h) Step 8: Set clear penalties and enforce them.
- i) Step 9: Update your staff.
- j) Step 10: Install the tools you need.
- for inclusion (P8) Task 4 - List the main components of an organisational disaster recovery plan, justifying the reasons
- Discuss with explanation about business continuity.
- List the components of recovery plan.
- a) Every bad case scenario
- b) Employee Communication and Preparation
- c) Document Recovery
- d) Off-Site Locations
- e) Asset Inventory
- Write down all the steps required in disaster recovery process.
- a) The scope of your plan.
- b) Organisational roles and responsibilities
- c) Your critical business functions and the tolerance for downtime.
- d) The strategies, processes and procedures to resume your critical business functions
- e) A communication plan.
- f) Schedule for Testing, Reviewing & Improving.
- Explain some of the policies and procedures that are required for business continuity.
- VI. Conclusion
- References
1.2 How to do a risk assessment a. Define the requirements Figure 2 :Define the requirements A formal method is required to establish a transparent and quantitative risk assessment framework, according to ISO 27001, an information security standard released by the International Organization for Standardization and the International Electrotechnical Commission. ISO 31000, a set of risk management standards published by the International Organization for Standardization to provide risk management principles and fundamental guidelines, has also affected the methodology and structure. The first step is to identify the commercial, regulatory, and contractual information security standards that must be met. Organizations that process or control personal information, for example, must adhere to the European Union's General Data Protection Regulation (GDPR). The risk scale, which is a mix of the likelihood and effect of security events, is established in the second phase. Risk evaluations can be either qualitative or quantitative. b. Identify risks Validating risks for each of the following is a time-consuming process that requires risk identification: The useful resource (the value to be protected) The threat (which can affect the asset) The vulnerability problem (the weakness that allows the threat to affect the asset).
Vulnerabilities and threats come in a variety of shapes and sizes. Make a list of potential dangers to the organization's data's confidentiality, integrity, and availability. Examine current constraints to prevent duplicating unnecessary operations. c. Analyze risks Figure 3 :Analyze risks Risk analysis involves understanding potential threats and vulnerabilities to an organization's assets and then assessing the likelihood of those threats exploiting the vulnerabilities. Each security event is assigned a score or value, and factors like human, financial, legal, regulatory, reputational, and operational impacts are considered to determine the threat's potential impact. Likelihood factors such as the frequency of occurrence, previous incidents, existing security controls, size of attack groups, and vulnerability knowledge are also evaluated. Using this risk scale, the likelihood (LHO) and business impact (BI) of each identified risk are determined in previous phases. These assessments help in quantifying and prioritizing the risks the company faces. The risk treatment plan is then formulated based on these assessments, addressing and mitigating the identified risks effectively. This allows organizations to make informed decisions and allocate resources to protect their assets and reduce the overall risk to the business. d. Evaluate risks The risk assessment software utilized by your company should automate the process of gathering risk analysis results and determine the position of each risk on the risk scale. It should then compare these risks against the pre-established level of acceptable risk. By doing so, the software can quickly identify the most critical risks, enabling you to prioritize and address them promptly and effectively. This automated approach streamlines risk management and allows for efficient allocation of resources to mitigate potential threats.
An asset is any data, device or other component of an organisation’s systems that is valuable – often because it contains sensitive data or can be used to access such information. For example, an employee’s desktop computer, laptop or company phone would be considered an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets. An organisation’s most common assets are information assets. These are things such as databases and physical files – i.e. the sensitive data that you store. A related concept is the ‘information asset container’, which is where that information is kept. In the case of databases, this would be the application that was used to create the database. For physical files, it would be the filing cabinet where the information resides. 2.2 What’s a threat? Figure 5 :What’s a threat? A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party. Threats can be categorised as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental. Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction or an event that causes physical damage, such as a fire or natural disaster.
2.3 What’s a vulnerability? A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset. You are most likely to encounter a vulnerability in your software, due to their complexity and the frequency with which they are updated. These weaknesses, known as bugs, can be used by criminal hackers to access to sensitive information. Vulnerabilities don’t only refer to technological flaws, though. They can be physical weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your premises, or poorly written (or non-existent) processes that could lead to employees exposing information. Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails; structural flaws in the premises, such as a leaky pipe near a power outlet; and communication errors, such as employees’ sending information to the wrong person. 2.4 What is threat identification? Figure 6 :What is threat identification? The threat identification process examines IT vulnerabilities and determines their capacity to compromise your system. It’s a key element of your organization’s risk management program. Identifying threats allows your organization to take preemptive actions. You receive the information you need to obstruct unauthorized users and prevent system breaches. At Ward IT Security Consulting Group, we provide the specialized knowledge and the experience necessary for effective threat identification.
- Risk Mitigation Planning should address each risk with action items and due dates.
- Risk Integrated Product Team (IPT) meets regularly (every 2 weeks) to assess risks and add new risk items, if necessary.
- Risks are closed when all the actions to close the risk have been taken. Some risk items are closed quickly; others are open for a long time. Some are considered watch items and the action plan doesn’t kick in until certain negative events happen.
- Closed risks remain in the database for future learning. III. Explain the risk assessment procedure Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business. These assessments help identify these inherent business risks and provide measures, processes and controls to reduce the impact of these risks to business operations. Companies can use a risk assessment framework (RAF) to prioritize and share the details of the assessment, including any risks to their information technology (IT) infrastructure. The RAF helps an organization identify potential hazards and any business assets put at risk by these hazards, as well as potential fallout if these risks come to fruition. With the risk assessment process, users take a look at their organizations to:
- Identify processes and situations that may cause harm, particularly to people.
- Determine how likely it is that each hazard will occur and how severe the consequences would be.
- Decide what steps the organization can take to stop these hazards from occurring or to control the risk. It's critical to understand the distinction between dangers and risks. Anything that might cause injury, such as work accidents, crises, poisonous substances, employee conflicts, stress, and more, is considered a danger. A hazard's risk, on the other hand, is the possibility that it may cause harm. You will identify risks as part of your risk assessment strategy, but you will also quantify the risk or likelihood of the hazards occurring. The purpose of a risk assessment plan varies by industry, but in general, it is to assist businesses in preparing for and combating risk. Other objectives include:
- Providing an analysis of possible threats
- Preventing injuries or illnesses
- Meeting legal requirements
- Creating awareness about hazards and risk
- Creating an accurate inventory of available assets
- Justifying the costs of managing risks
- Determining the budget to remediate risks
- Understanding the return on investment IV. List risk identification steps 4.1 Five steps in the risk assessment process Once you've planned and allocated the necessary resources, you can begin the risk assessment process. Proceed with these five steps. a. Step1: Identify the hazards The first step to creating your risk assessment is determining what hazards your employees and your business face, including:
- Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.)
- Biological hazards (pandemic diseases, foodborne illnesses, etc.)
- Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.)
- Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.)
- Technological hazards (lost Internet connection, power outage, etc.)
- Chemical hazards (asbestos, cleaning fluids, etc.)
- Mental hazards (excess workload, bullying, etc.)
- Interruptions in the supply chain Examine your workplace to identify what procedures or actions might be harmful to your company. Include all areas of employment, such as remote employees and non-routine tasks like repair and maintenance. You should also review accident/incident records to discover what dangers have already harmed your firm. Try our free template below to divide down tasks into possible dangers and assets at risk.
You also need to think how work-related violence can cause harm. For example, what are the likely effects of violence on different groups of people? c. Step 3: Evaluate the risks and take precautions The aim of this stage is to think about how you can manage the risks of harm from work-related violence. That can mean avoiding a particular hazard altogether, reducing the likelihood or finding ways to make any harm that does occur less serious. You need to make sure that you have reduced risks 'so far as is reasonably practicable'. The risk is the chance, high or low, that somebody could be harmed by hazards identified in step 1, together with an indication of how serious the harm could be. A risk factor is something that can increase the chance of the hazard occurring. At this stage of your risk assessment you need to establish whether there is a significant risk of violence in your business. You can do this in a number of ways, but perhaps the easiest way initially is to speak to your staff and safety representatives about their experiences. You can also look at sickness absence figures, staff turnover, injury and illness records (particularly incidents of work-related violence), stock losses and police records. Your local police force may be prepared to release crime data for your business to help you establish how you need to tackle violence and crime in your premises. RIDDOR reports can also be a useful source of information, and crime mapping can help you decide where best to target your activities. Risk factors Licensed and retail business have, by the very nature of their business, factors which can increase the likelihood of violence occurring. These include:
- Handling large amounts of money or exchanging money;
- Your staff having face-to-face contact with customers;
- Opening in the evening or late at night;
- Dealing with customer complaints or disputes. Dealing with angry customers in disputes/complaints, eg over goods, services and refunds, allegations of short changing or cash mistakes or non-authorisation of card purchases can trigger customer embarrassment and violence. Your business may also have specific risk factors that are associated with a higher risk of violence:
- You have lone workers or small numbers of staff.
- You sell or guard high-value goods. Items may include medications, expensive merchandise or alcohol/tobacco.
- You sell age-restricted goods. Refusing to serve customers who are underage or are without ID, or refusing to sell alcohol after licensing hours or to those who are intoxicated, can also trigger violence.
- Your staff are under pressure. Exceptional workloads, inadequate stocks or staff shortages may slow employee performance and lead to delays, queues and customer impatience and hostility.
- Your customers have a history of violence or are likely to be under the influence of drink or drugs.
- Your premises are in a high-crime area. Businesses with previous experience of robbery, assaults or threats are more at risk of repeat incidents.
- Your business is quite isolated or you do not have many customers.
- Your premises have easy access/escape routes.
- Your business's layout/lighting is poor. For example, tills are located near doors or there is poor visibility from outside the shop to inside.
- You do not have any (obvious) security measures, which may suggest to potential assailants or criminals there is low risk of detection and minimum protection. Decide on precautions The next step is to decide whether there is anything more you can do. Have you reduced the risks 'so far as is reasonably practicable'? To do this you do this you will need to:
- Look at your existing controls to ensure they are working effectively and as intended.
- Consult your staff about their ideas. Employees have practical experience and insight into their workplace and therefore are a good source of information and ideas. Involving your staff will also encourage them to adopt and own the arrangements you put in place. You should include your employees by getting them to:
- Participate in developing and devising procedures to minimise violence risk;
- Participate in the evaluation of any control measures;
- Share on-the-job experiences to help other employees recognise and respond to violence.
- Compare yourself to current good practice, which is included in the Quick guide to control measures. Identify any further control measures necessary to reduce the risk to the lowest possible level. d. Step 4: Record your findings and implement them By now, you should have identified the existing safety measures in place for your staff and also identified potential actions to enhance their safety further. Now, it's essential to determine how to implement these actions effectively. Remember, taking action is more critical than simply documenting plans; risk assessment is a tool to achieve results, not an end goal in itself. To prioritize your actions, consider the following factors to help you determine your priorities:
- Assess asset criticality regarding business operations. This includes the overall impact to revenue, reputation, and the likelihood of a firm’s exploitation.
- Measure the risk ranking for assets and prioritize them for assessment.
- Apply mitigating controls for each asset based on assessment results. It’s important to understand that a security risk assessment isn’t a one-time security project. Rather, it’s a continuous activity that should be conducted at least once every other year. Continuous assessment provides an organization with a current and up-to-date snapshot of threats and risks to which it is exposed. At Synopsys, we recommend annual assessments of critical assets with a higher impact and likelihood of risks. The assessment process creates and collects a variety of valuable information. A few examples include:
- Creating an application portfolio for all current applications, tools, and utilities.
- Documenting security requirements, policies, and procedures.
- Establishing a collection of system architectures, network diagrams, data stored or transmitted by systems, and interactions with external services or vendors.
- Developing an asset inventory of physical assets (e.g., hardware, network, and communication components and peripherals).
- Maintaining information on operating systems (e.g., PC and server operating systems).
- Information about:
- Data repositories (e.g., database management systems, files, etc.).
- Current security controls (e.g., authentication systems, access control systems, antivirus, spam controls, network monitoring, firewalls, intrusion detection, and prevention systems).
- Current baseline operations and security requirements pertaining to compliance of governing bodies.
- Assets, threats, and vulnerabilities (including their impacts and likelihood).
- Previous technical and procedural reviews of applications, policies, network systems, etc.
- Mapping of mitigating controls for each risk identified for an asset. **Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6)
- Define data protection** Data protection refers to the act of safeguarding valuable information to prevent damage, unauthorized access, or loss. Additionally, it involves measures to ensure data can be recovered if it becomes inaccessible due to unexpected events. This area covers various aspects, including data collection, sharing, technology, public perception of privacy, and the legal context surrounding data. The main objective is to
strike a balance between protecting individuals' privacy rights and allowing the lawful use of data for legitimate business purposes. Figure 8 : What is data protection? Data protection, also referred to as data privacy or information privacy, ensures that data remains untainted, accessible only for authorized purposes, and adheres to relevant legal or regulatory standards. The protected data should be readily available when required and suitable for its intended use. Nevertheless, data protection extends beyond merely guaranteeing data availability and usability; it also encompasses aspects like data immutability, preservation, and secure deletion or destruction. As the volume of data being generated and stored continues to grow at an unprecedented pace, the significance of data protection becomes even more pronounced. In today's fast-paced world, there is little tolerance for downtime that hampers access to critical information. Consequently, an essential aspect of data protection is the ability to swiftly restore data after any corruption or loss occurs. Alongside this, safeguarding data from compromise and ensuring data privacy are crucial elements of a comprehensive data protection strategy. Regardless of whether the data is personal or corporate, data protection must be applied universally. It encompasses both maintaining the integrity of data by protecting it from corruption or errors and upholding data privacy to ensure that only authorized individuals have access to it. Data protection takes on diverse contexts, and the approaches and scope differ for each. It involves safeguarding personal data, business information, and data held by public entities. Additionally, data protection extends to the highest level of secrecy, where data should never be accessed by anyone other than its rightful owners, commonly referred to as top secret information.