Assignment 2 - Security - PASS, Assignments of Computer Science

Assignment 2 - Security - PASS

Typology: Assignments

2021/2022

Uploaded on 09/10/2022

minh-huy-huynh
minh-huy-huynh 🇻🇳

4.7

(58)

39 documents

1 / 48

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ASSIGNMENT 2 FRONT SHEET
Qualification
BTEC Level 5 HND Diploma in Computing
Unit number and title
Unit 5: Security
Submission date
08/09/2022
Date Received 1st submission
Re-submission Date
Date Received 2nd submission
Student Name
Huynh Minh Huy
Student ID
GCD1001
Class
GCD210173
Assessor name
Tran Trong Minh
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Huy
Grading grid
P5
P6
P7
P8
M3
M4
M5
D2
D3
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30

Partial preview of the text

Download Assignment 2 - Security - PASS and more Assignments Computer Science in PDF only on Docsity!

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date 08/09/2022 Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Huynh Minh Huy Student ID GCD Class GCD210173^ Assessor name Tran Trong Minh Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice.

Student’s signature Huy

Grading grid P5 P6 P7 P8 M3 M4 M5 D2 D

 Summative Feedback:  Resubmission Feedback:

Grade: Assessor Signature: Date: Lecturer Signature:

Introduction I spoke about network security ideas such measuring IT risk security. Furthermore, Security Solutions are addressed, including Firewall Policies and IDS, since recognizing incorrectly configured FIS Firewall and IDS. Another required system strength tool is network monitoring. I explained the benefits of adopting a network monitoring system with appropriate justifications. I also studied a "trusted network," and after weighing the pros and cons, I concluded that FIS should include "Trusted Network" as part of its security solution. In this assignment, I will complete two duties. The first duty is to evaluate techniques for controlling corporate IT security. In this assignment, I will address risk assessment procedures, as well as data protection and regulation. In addition, I will describe the ISO 3100 risk management approach and its application in IT security. Another prerequisite is to examine the potential impact of a security audit on organizational security. The next job involves designing and implementing a security strategy for a company, as well as demonstrating the essential components of an organizational disaster recovery plan. Because stakeholders are a part of the company, I will address their role in putting security audit findings into action.

Task 1 – Discuss risk assessment procedures (P5). I. Define a security risk and how to do risk assessment. A computer security risk is defined as anything on your computer that has the potential to destroy or steal your data, or to allow someone else to use your computer without your knowledge or agreement. Malware, a broad phrase used to represent numerous sorts of harmful software, is one of many things that might pose a computer danger. We usually think of computer viruses, but there are other sorts of malicious software that may compromise computer security, including viruses, worms, ransomware, spyware, and Trojan horses. Computer product misconfiguration, as well as dangerous computing practices, pose concerns.  Risk assessment procedures A risk assessment is a detailed examination of your workplace to identify those objects, circumstances, procedures, and so on that might cause harm, especially to people. After identifying the risk, you must examine and assess its likelihood and severity. Once this assessment has been reached, you may next decide what steps should be put in place to effectively remove or control the harm. Figure 1 : Security Risk.

II. Define assets, threats and threat identification procedures and give examples.

  1. Definition of Assets. An asset is any important data, gadget, or other component of an organization's systems, frequently because it holds sensitive data or may be used to obtain such data. An employee's desktop computer, laptop, or corporate phone, for example, would be regarded an asset, as would the apps on such devices. Critical infrastructure, such as servers and support systems, is also an asset. The most prevalent assets in an organization are information assets. These include databases and physical files, which contain sensitive information. The 'information asset container,' which is where the information is maintained, is a similar idea. This is the program that was used to construct the database in the case of databases. It is the filing cabinet where the information is kept for physical files. Figure 3 : Assets.
  1. Definition of Threats. A threat is any occurrence that might have a negative impact on an asset, such as if it is lost, knocked offline, or accessed by an unauthorized person. Threats are defined as conditions that jeopardize the confidentiality, integrity, or availability of an asset, and they can be either purposeful or unintentional. Criminal hacking or a malevolent insider stealing information are examples of intentional threats, whereas accidental risks typically entail employee error, a technological breakdown, or an occurrence that causes physical harm, such as a fire or natural catastrophe.
  2. Threat identification process. The threat identification method investigates IT vulnerabilities and assesses their ability to breach your system. It is an essential component of your organization's risk management program. Identifying dangers enables your firm to take preventative measures. Figure 4 : Threats.
  1. Example of threats identification procedures. After identifying the risks that may constitute a danger to the business and determining how much damage may be predicted from an occurrence, the user is ready to make decisions on how to defend the firm. When doing a risk assessment, the user may discover a large number of potential hazards to the firm. There are various dangers that can affect a server, for example. Viruses, hackers, fire, tremors, and other hazards are just a few examples. It is feasible to safeguard the server by installing security software (such as anti-virus software and firewalls) and making the room fireproof, earthquake resistant, and secure from a variety of hazards. The expense of doing so, on the other hand, will soon exceed the asset's worth. It is preferable to back up data, install a firewall and anti-virus software, and take the chance that future attacks will not occur. The general guideline is to determine which risks are acceptable. After evaluating the potential loss from a threat, you'll need to develop cost-effective ways to defend yourself. To do so, you must first determine which dangers will be addressed and how. Management must make decisions on how to proceed depending on the risk data you've gathered. Most of the time, this will entail finding strategies to defend the asset from threats. Installing security software, adopting rules and procedures, or adding extra security measures to secure the asset may be required. According to ISO 31000, the risk management process at involves the following steps:  Establish the backdrop for the program's objectives and activities.  Identify the risks (this includes determining the likelihood and effects of each risk).  Risk assessment.  Risks should be assessed and prioritized.  Risk management (including treatment cost-benefit analysis); and ongoing monitoring and assessment of risks and remedies.

III. Explain the risk assessment procedures. The risk assessment process's purpose is to examine hazards and then remove or minimize the level of risk by applying appropriate control measures. As a result, you must create a safer and healthier workplace, which includes:  Risk Assessment  Identification of risks  Risk evaluation  Risk impact  Recommendation of risk-reducing measures  Risk Mitigation  Risk avoidance  Risk mitigation  Risk acceptance  Risk transference  Risk assessment  Evaluation and Assurance  Continuous risk assessment  Periodic assessment  Regulatory adherence

Task 2 – Explain data protection processes and regulations as applicable to an organization (P6). I. Define data protection. Data protection is the process of protecting data and includes the interaction between the collecting and distribution of data and technology, the public perception and expectation of privacy, and the political and legal frameworks surrounding that data. It seeks to achieve a balance between individual privacy rights and the usage of data for corporate reasons. Data security is often referred to as data privacy or information privacy. II. General Data Protection Regulation. The General Data Protection Regulation (GDPR) harmonizes EU data protection legislation for use in the digital age. The EU says that by adopting a single norm, it would offer better clarity to promote citizens' rights and the growth of the digital economy. GDPR is widely regarded as the world's greatest set of data security rules, since it improves how individuals can access information about themselves and limits what organizations can do with personal data. Figure 5 : Data Protection.

III. Principles of Data Protection. Article 5 of the General Data Protection Regulation (GDPR) establishes important principles that underpin the general data protection system. These essential principles are stated early at the start of the GDPR and have an impact on the other regulations and duties contained throughout the Act, both directly and indirectly. As a result, compliance with these fundamental principles of data protection is the first step for controllers in fulfilling their GDPR duties. The following is a summary of the Data Protection Principles mentioned in Article 5 of the GDPR:  Lawfulness, fairness and transparency: Any processing of personal data must be legitimate and equitable. Individuals should be aware that personal data about them is being collected, utilized, consulted, or otherwise processed, as well as the degree to which the personal data is or will be treated. Transparency demands that all information and communication relevant to the processing of such personal data be freely available and understandable, and that clear and simple language be used.  Purpose Limitation: Personal data should only be gathered for specific, explicit, and legal objectives and should not be treated in a way that contradicts those goals. The exact reasons for which personal data are processed, in particular, should be Figure 6 : General Data Protection Regulation.

and how they comply with the GDPR, and be able to verify compliance (by suitable records and procedures) to the DPC in particular. IV. Explain data protection process in an organization. The new data landscape has inspired the creation of new standards for critical asset control, driven by user privacy concerns, increasing legislation, and the need for business-driven identity and access management (IAM) rules. Security efforts must provide in three critical areas to properly safeguard their data:  Intelligent Visibility: Enterprises may achieve unified supervision across data, cloud networks, and endpoints by combining AI-driven solutions and automated monitoring technologies. This provides essential information into assets that must be protected as well as potential points of compromise.  Proactive Mitigation: Effective endpoint and application security solutions are required for enterprises to build, deploy, and enforce security across data at scale, enabling proactive responses to possible attacks.  Continuous Control: Organizations must use complete security solutions that enable them to implement rules at scale, maximize asset safeguards, and comply with regulatory requirements and standards, allowing them to maintain continuous control over all operational assets. Full-featured data protection, asset defense, and compliance strategy are no longer optional initiatives for businesses of all sizes. V. Why are data protection and security regulation important? When raw data is processed, it becomes data that needs privacy, security, and cybersecurity. Furthermore, adequate data protection fosters trust and confidence in the general public that you are a company that values the security of its stakeholders' information. Every business has vital information. In fact, data is one of a company's most valuable assets. As a result, data security should be a top concern for any business. This involves safeguarding

the data's availability to personnel who require it, its integrity (keeping it correct and up to date), and its confidentiality (ensuring that it is only accessible to those who are permitted). Customers, in fact, expect corporations to keep their data secure when they engage with or invest in them. Appropriate data governance fosters confidence. It protects your company's reputation by establishing you as a brand that customers can trust with their data. The GDPR emphasized data security even further, making it not only a corporate imperative but a legal one. According to the GDPR, a controller must "take suitable technological and organizational means to guarantee and show that processing is done in compliance with the Regulation." Security awareness training is an important component of such measures: personnel must be aware of the need of adhering to data security rules and processes. Headlines about, and inept responses to, a data breach, for example, may demolish confidence built up over a decade in a matter of days.