Assignment2 Security, Exercises of Computer Science

....................................................

Typology: Exercises

2019/2020

Uploaded on 03/08/2023

alexsanderking
alexsanderking 🇻🇳

7 documents

1 / 37

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ASSIGNMENT 2 FRONT SHEET
Qualification BTEC Level 5 HND Diploma in Computing
Unit number and title Unit 5: Security
Submission date Date Received 1st submission
Re-submission Date Date Received 2nd submission
Student Name Student ID
Class Assessor name
Student declaration
I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading grid
P1 P2 P3 P4 M1 M2 D1
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25

Partial preview of the text

Download Assignment2 Security and more Exercises Computer Science in PDF only on Docsity!

ASSIGNMENT 2 FRONT SHEET

Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Student ID Class Assessor name Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Grading grid

P1 P2 P3 P4 M1 M2 D

Assignment Brief 2 (RQF) Higher National Certificate/Diploma in Computing Student Name/ID Number: Unit Number and Title: Unit 5: Security Academic Year: 2021 – 2022 Unit Assessor: Van Ho Assignment Title: Security Presentation Issue Date: April 1st, 2021 Submission Date: Internal Verifier Name: Date: Submission Format: Format: ● The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. Submission ● Students are compulsory to submit the assignment in due date and in a way requested by the Tutor. ● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/. ● Remember to convert the word file into PDF file before the submission on CMS. Note: ● The individual Assignment must be your own work, and not copied by or from another student. If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style. Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment. Unit Learning Outcomes:

Learning Outcomes and Assessment Criteria (Assignment 1): Learning Outcome Pass Merit Distinction LO 3 P5 Discuss risk assessment procedures. P6 Explain data protection processes and regulations as applicable to an organisation. M3 Summarise the ISO 31000 risk management methodology and its application in IT security. M4 Discuss possible impacts to organisational security resulting from an IT security audit. D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment. LO 4 P7 Design and implement a security policy for an organisation. P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion. M5 Discuss the roles of stakeholders in the organisation to implement security audit recommendations. D3 Evaluate the suitability of the tools used in an organisational policy. Table of Contents

P8 List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion

  • P5. Discuss risk assessment procedures...........................................................................................................
      1. Risk...........................................................................................................................................................
      1. Risk assetment..........................................................................................................................................
      1. Asset.........................................................................................................................................................
      1. Vulnerability.............................................................................................................................................
      1. Threat.......................................................................................................................................................
      1. Risk Identification Procedures..................................................................................................................
      1. Risk assetment procedures.....................................................................................................................
  • P6. Explain data protection processes and regulations as applicable to an organisation...............................
      1. Data protection.......................................................................................................................................
      1. Data protection.......................................................................................................................................
      1. The important of data protection regulations........................................................................................
  • P7. Design and implement a security policy for an organisation....................................................................
    • 1.Security policy..........................................................................................................................................
    • 2.Example of policy.....................................................................................................................................
    • 3.The most and should that must exist while creating policy.....................................................................
    • 4.The element of security policy.................................................................................................................
      1. The steps to design a policy....................................................................................................................
    • 1.Business continuity..................................................................................................................................
      1. The components of recovery plan..........................................................................................................
      1. Steps to Building a Disaster Recovery Plan.............................................................................................
      1. The policies and procedures that are required for business continuity..................................................
  • References......................................................................................................................................................

Risk assessment: The total procedure of risk analysis, risk assessment, and hazard identification. Risk assessment: The entire process of hazard identification, risk analysis, and risk assessment. Risk analysis: A process for comprehending the nature of hazards and determining the level of risk. Risk evaluation: The process of comparing an estimated risk against given risk criteria to determine the significance of the risk.

3. Asset

A resource having economic worth that a person, business, or nation possesses or controls with the hope that it would someday be useful is referred to as an asset. In order to raise a company's value or benefit its operations, assets are acquired and recorded on the balance sheet of the company. Whether it's manufacturing equipment or a patent, an asset can be viewed of as anything that, in the future, can generate cash flow, lower expenses, or increase sales An asset is a resource having economic worth that a person, organization, or nation owns or manages with the hope that it may someday be useful. Assets are disclosed on a company's balance sheet and are acquired or produced in order to raise a company's value or improve the operations of a company. An asset can be anything that, in the future, can increase sales, lower costs, or generate cash flow, whether it's a patent or manufacturing equipment. Understanding Assets: An asset represents a financial resource for a business or access that other people or companies do not have. A right or other access is legally enforceable, so it can be used however the corporation sees fit and its usage can be restricted or prohibited by the owner. A corporation must have a right to an asset as of the date of the financial statements in order for it to be present. A scarce resource with the capacity to increase financial inflows or decrease cash outflows is considered an economic resource. Short-term (or current) assets, fixed assets, financial investments, and intangible assets are some basic categories for assets. Personal Assets: Personal assets are items with current or potential worth that belong to an individual or family. Personal assets frequently comprise the following: Cash and cash equivalents, CDs, checking and savings accounts, money market accounts, tangible cash, and Treasury notes are all examples of financial instruments. Real estate, including any building permanently affixed to it. Personal property includes boats, collectibles, furniture, jewelry, and automobiles. Investments include equities, bonds, mutual funds, annuities, pensions, and life insurance policy cash values.

By deducting your liabilities from your assets, you may determine your net worth. In essence, your liabilities are all of your debts, and your assets are everything you own. If you have a positive net worth, your assets are worth more than your liabilities; if you have a negative net worth, your liabilities are more than your assets (in other words, you are in debt) Business Assets: Assets are valuable items for businesses that support production and expansion. Assets for a firm might include tangibles like machinery, real estate, raw materials, and inventory as well as intangibles like royalties, patents, and other forms of intellectual property. The balance sheet outlines the assets of a firm and details how those assets are financed, including whetherdebt or stock issuance is used. A company's balance sheet gives a quick overview of how effectively its management is managing its resources. The two categories of assets that typically appear on a balance sheet are Current Assets: Assets that can be turned into cash within one fiscal year or one operating cycle are referred to as current assets. Expenses and investments related to daily operations are made possible by current assets. Examples of current assets include: Cash and cash equivalents: Cash, certificates of deposit, and Treasury bills. Marketable securities: debt-related securities or liquid equity. Accounts receivables: Customer debt that needs to be settled soon. Inventory: Raw resources or marketed products. Fixed Assets: Non-current assets, or fixed assets, are those that a business utilizes to produce goods and services and have a longer useful life. Fixed assets are shown as property, plant, and equipment on the balance sheet (PP&E). Fixed assets are long-term investments that are categorized as tangible (i.e., touchable) assets because they are. Examples of fixed assets include: Vehicles (such as company trucks) Office furniture Machinery Buildings Land Non-current assets (like fixed assets) cannot be easily converted to cash to cover immediate operational costs or investments, which is one of the two main contrasts between personal assets and corporate assets. In contrast, it is anticipated that present assets will be liquidated within one fiscal year or one operating cycle.

Examples of threats Keep in mind that a danger is fairly broad. It does not specify how to accomplish it or even whether it is feasible given the state of the system. Here are a few illustrations. +A malicious user reads the files of other users. +An attacker redirects queries made to a web server to his own web server. +An attacker modifies the database. +A remote attacker runs commands on the server. Each of these examples can easily be mapped to a category in STRIDE. Other examples would be malware, trojans and worms.

6. Risk Identification Procedures

Risk Identification Procedures include:

  1. Risk Integrated Product Team (IPT) identifies list of potential risk items. There are variety methods of identifying risks. Risk can be identified from: -Lessons Learned -Subject Matter Experts (SME) -Prior Experiences -Technology Readiness Level (TRL) determination

Programmatic Constraints -Brain Storming -Work Breakdown Structure (WBS)

  1. Risks are rated as acceptable or unacceptable. Not all risk factors listed in step 1 are taken into account.
  2. Risks that have been accepted should be noted and added to a Risk Register.
  3. Define the causes of each danger that has been identified.
  4. Risk analysis should focus on each risk that has been discovered in order to improve the risk description, identify the underlying causes, ascertain the effects, and help prioritize risk reduction. a matrix for reporting risks
  5. Each risk should be addressed in the risk mitigation plan with action items and deadlines.
  6. The Risk Integrated Product Team (IPT) holds regular meetings (every two weeks) to evaluate risks and, as necessary, add new risk items.
  7. When every step necessary to close a risk has been taken, the risk is considered closed. While some risky products are swiftly closed, others remain open for a very long time. Some are listed as "watch items," and the action plan doesn't start until a certain undesirable event occurs.
  8. For future learning, closed hazards are still stored in the database. Common risk identification methods are: Identification of risks based on objectives: Project teams and organizations both have goals. Risk isdefined as an occurrence that could jeopardize completing a target wholly or partially. Identification of risk based on scenarios: In scenario analysis, various scenarios are produced. The scenarios could represent several approaches to achieving a goal or an analysis of the interactions of forces in, say, a market or conflict. Risk is defined as any occurrence that results in a scenario alternative that is undesirable. Identification of risks using taxonomies: A breakdown of potential risk sources is represented by the taxonomy in taxonomy-based risk identification. A questionnaire is created using the taxonomyand knowledge of best practices. Risks are shown by the responses to the questions. Checking for common dangers: Several sectors have lists of known concerns. The applicability of each danger on the list to a particular circumstance can be checked. 7. Risk assetment procedures

1. Risk assessment in practice:

A risk assessment is a thorough investigation of what can endanger employees at work in order to assess any safety safeguards already in place and determine whether additional preventative measures are necessary. Performing a risk assessment is a proactive activity that: The risks associated with the hazard are evaluated. Appropriate methods to eliminate or control the hazard evaluated.

Physical: Uostures, stumbles and falls, noise, dust, machinery, electronic devices, etc. Mental: Working with clients that have high needs, working long hours, being bullied, etc. These are sometimes known as "psychosocial" dangers since they have an impact on mental health and happen in working relationships. Chemical: Aerosols, cleaning products, asbestos, etc. Biological: Covering the infectious diseases that affect healthcare professionals, such as tuberculosis, hepatitis, and others, as well as home care staff. Step 2: Decide who may be harmed, and how Starting with the full- and part-time employees of your organization, determine who is at risk. Employers are also required to evaluate the dangers that agency and contract workers, guests, clients, and other members of the public may encounter while on their property. Employers must evaluate daily schedules in all the many places and circumstances where their employees is engaged. For instance: The personal safety of their clients in the house must be taken into consideration by home care supervisors, who must also make sure that their own home care personnel has safe working and lifting conditions. The repetitious duties at the checkout, lifting heavy objects, and slips and trips due to spills and barriers in the store and storage areas are all risks in a supermarket. Customers and trespassers pose a threat to the staff, particularly in the evenings. Each employee's workstation equipment in call centers, such as the desk, screen, keyboard, and chair, must be customized. Employers have particular responsibilities for the health and safety of young workers, those with disabilities, people working nights or shifts, and women who are pregnant or nursing. Step 3: Assess the risks and take action. Step 3: Assess the risks and take action. This means that employers must take into account the likelihood that any hazard may result in damage. Depending on this, your company may or may not decide to lower the amount of risk. Some risk typically persists even after all safety measures have been taken. Employers must determine if the risk is still high, medium, or low for each danger that exists. Step 4: Make a record of the findings.

The principal conclusions of the risk assessment must be documented in writing by employers with five ormore employees. This record is to detail any risks identified during the risk assessment as well as any steps done to lessen or eliminate risk. This documentation serves as evidence that the evaluation was completed and serves as the foundation for a subsequent review of working procedures. The risk analysis is a work-in-progress. It ought to be readable for you. It shouldn't be kept hidden in a cabinet. Step 5: Review the risk assessment. Keeping an eye on a risk assessment is necessary to: Make sure that the established safe working procedures are followed (e.g., that supervisors and linemanagers adhere to management's safety directives). if there are any new procedures, tools, or challenging work goals, consider them. P6. Explain data protection processes and regulations as applicable to an organisation. The process of preventing critical information from being corrupted, compromised, or lost is known as data protection.

1. Data protection Data protection is the process of defending sensitive information against loss, tampering, or corruption.

In order to lessen the harm that network security incidents to the business cause, documentation of the process of responding to security incidents to the network and corporate data is crucial. As an alternative, you can consider engaging specialized ANM assessment and troubleshooting units. When accidents happen, these units will be in charge of consulting the reaction procedure and organizing troubleshooting. This will assist your organization limit damage.

2.5 Ensure the network is divided into separate areas

Separate network regions will aid in isolating and minimizing the harms brought on by network security concerns such as enterprise data leakage and ode infection poison. The DMZ also aids in regulating accessbetween various network regions by employing more firewalls between untrusted external network areas (internet zones) and intranet zones. To make sure that access policies between network areas are always followed, conduct frequent intrusion testing assessments.

2.6 Secure DN data by monitoring network security

To regulate and identify network data abnormalities early and maximize detection and prevention, technologies to monitor network traffic both inside and outside the network are necessary. early attacks blocking IDS (intrusion detection system), IPS (intrusion prevention system), and SIEM are the solutions that are frequently employed by enterprises nowadays (Network Security Surveillance System).

2.7 Access control

For a corporate network, decentralization and access control measures are essential. Effective access control is made possible by these policies both inside and outside the system. To accomplish this, you must only ask the user for the permissions required for them to perform their duties. Priority accounts must be carefully limited to primary systems, database administration functions, or critical systems. User activity must be carefully monitored and logged, especially when it involves sensitive data and a user's account. Remember to protect your data by creating strong passwords at the same time. Other crucial physical security features include security guards, magnetic card systems, commuters, sirens,and access control to corporate buildings and private workplaces. access control for corporate data management.

2.8 Increased malware protection

Enterprises should also implement measures to reduce the danger of harmful code and safeguard data from it. There are numerous ways to reduce the risk of malware infection at various levels right now, including user-specific anti-malware solutions, centralized anti-malware solutions, and anti- malware solutions at gateways. However, your ability to find a workable option for your company depends on its size and financial standing.

2.9 Update patches regularly

No system can be said to be always secure because there are constantly being developed new attack techniques. In order to protect corporate data and reduce the risk of assaults on enterprise systems, it is essential to update operating system and software patches. Businesses must synchronize the deployment of numerous security solutions and the blending of various security policies in order to guarantee the maximum level of system security. 2.11 Perform encryption

2.10 Perform encryption

P7. Design and implement a security policy for an

organisation

1.Security policy

An organization's IT resources and assets are subject to a set of rules and regulations known as the IT security policy. An organization's IT assets and resources must be accessed and used in accordance with the policies laid out in its information technology (IT) security policy. The organization's culture is modeled by its employees' attitudes toward their information and work in effective IT security policy, which serves as the foundation for regulations and procedures. Since each organization's people have different opinions on risk tolerance, how they view and value their information, and the consequent availability they maintain for that information, each organization's successful IT security policy is a special document. Due to its lack of regard for how the organization's employees really utilize and exchange information among themselves and with the public, many firms will find a boilerplate IT security policy ineffective. The preservation of the privacy, accuracy, and accessibility of the systems and data accessed by organization members is the goal of an IT security policy. The CIA trio is made up of these three ideas: -The safeguarding of resources from unauthorized parties is a component of confidentiality -Integrity guarantees that the alteration of assets is carried out in a predetermined and approved manner. -The system is in a "availability" condition when authorized users can access the resources continuously. The IT Security Policy is a dynamic document that is frequently revised to reflect changing business and IT needs. Standards and best practices for developing security policy have been issued by organizations like the International Organization of Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST). The National Research Council (NRC) has stated that any firm policy should include the following information:

  1. Objectives
  2. Scope
  3. Specific goals
  4. Responsibilities for compliance and actions to be taken in the event of noncompliance. Every IT security policy must also include portions addressing the observance of laws governing the organization's sector. The Basel Accords, the PCI Data Security Standard, and the Dodd-Frank Wall Street Reform in the United States are all common examples of this. Other examples from around the world include the Consumer Protection Act, the Health Insurance Portability and Accountability Act, and the Financial Industry Regulatory Authority. A written IT security policy is required by many of these regulatory bodies. The security policy of an organization will influence its choices and course greatly, but it shouldn't change its strategy or objective. To promote the continuation of strong productivity and creativity, it is crucial to develop a policy that is informed by the organization's current structural and cultural context rather than writing a generic policy that prevents the business and its employees from achieving their objectives.

2.Example of policy

Workstation whole disk encryption is the data security policy. For companies wishing to develop or update their full disk encryption control policy, this example policy is meant to serve as a reference.

This policy should be modified, especially to meet usability standards or to comply with any laws or data protection obligations. History of this policy Full disk encryption is currently a crucial technique for enhancing privacy and is required by several regulatory rules.

2.1 Purpose

Restricted, confidential, or sensitive material must be protected by against loss in order to preserve its reputation and prevent harm to its clients. This policy supports a collection of international regulations (such as full as suitable>) that call for the protection of a wide range of data by limiting access to data stored on those particular devices. Full disk encryption is necessary to prevent against exposure in the event of asset loss, as stated by several compliance standards and industry best practices. This policy specifies the processes and requirements for full disk encryption protection as a control.

2.2 Scope

  1. All desktop and laptop workstations from "Company X" (depending on the type of data you hold and physical security some organizations adjust this just to cover laptops).
  2. All virtual computers owned by Company X.
  3. Exemptions: Where a firm needs to be excused from this policy (because it would be too expensive, too complex, or would negatively affect other business requirements), a risk assessment must be carried out with security management's approval. See the Risk Assessment procedure (reference your own risk assessment process).

2.3 Policy

  1. Full disk encryption will be enabled on all of the devices in the scope.
  2. Users shall be required by the Acceptable Use Policy (AUP) and security awareness training to report suspected violations of this policy in accordance with the AUP.
  3. Users must be required to report any lost or stolen devices in accordance with the AUP and security awareness training.
  4. Compliance with the encryption policy must be verified, and it must be managed. To enable audit records to prove compliance as needed, machines must report to the central management infrastructure.
  5. The device user must give IT a copy of the active encryption key in cases where management is not possible and a standalone encryption is configured (only after being approved by a risk assessment).
  6. Is permitted to look into any encrypted device for maintenance, inquiry, or in the absence of a worker with primary file system access. to spot unauthorized system access or other harmful activity.
  7. In the event of a failure, forgotten credentials, or other business blocking needs, the help desk will be allowed to issue an out-of-band challenge/response to grant access to a system. Only in the case that the 23 user's identity can be determined using the challenge and response attributes listed in the password policy will this challenge/response be sent.