







Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Security assigments btec and others
Typology: Study notes
1 / 13
This page cannot be seen from the preview
Don't miss anything!








Risk assessment is the process of identifying potential hazards and analyzing what might happen if a hazard occurs. Business Impact Analysis (BIA) is the process of identifying potential impacts resulting from the disruption of time- sensitive or critical business processes. (ready.gov, 2021)
A risk assessment framework (RAF) is an approach to prioritize and communicate the security risks posed by an information technology organization. The information should be presented in a way that can be understood by both technical and non-technical personnel. A Look at the RAF provides organizations with assistance in identifying and detecting low- and high-risk areas in the system that may be vulnerable to abuse or attack. (techopedia, 2017) Types of Risk Assessment Framework
Institute.
Preparedness Team.
Information Systems Audit and Control Association.
There are at least five key components to consider when creating a risk management framework. These include risk identification; measuring and assessing risks; risk reduction; reporting and monitoring of risks; and risk management.
Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing Pseudonymization can be one way to comply with the European Union's new General Data Protection Regulation demands for secure data storage of personal information.Pseudonymized data can be restored to its original state with the addition of information which then allows individuals to be re-identified, while anonymized data can never be restored to its original state. Incident Response Plan (IRP) A mature IRP should address phases such as preparation, identification, containment, destroy, recovery and lessons learned. But, what if an incident occurs and it was identified that data may have been breached? Well, GDPR has requirements for your organization’s. Breach notification requirements are among the most special in the legislation. Under GDPR, “In the event of a potential data breach that involves personal information, an organization must notify the Data Protection Authority without undue delay, within 72 hours if impossible, after becoming aware of the breach; and Communicate high-risk breaches to affected data subjects without undue delay”. Third-Party Risk Management If an organization entrusts the processing of personal data to a processor or a breach occurs, who is the one responsible for this? Policy Management Policy management is the process of creating, communicating, and maintaining policies and procedures within an organization. An effective policy management system can mitigate risk in two ways. First, it makes policies more quickly accessible to direct care staff, guiding care and safety decisions. Second, it can protect an organization from litigation by staying up to date on accreditation standards and creating an audit trail in the case of legal action. Because the process of managing policies can be expensive and time consuming, hospital boards should make the implementation of an efficient policy management system a priority. A comprehensive and well- managed set of policies can support GRC activities by communicating boundaries and expectations, establishing a culture of compliance within the organization, protecting the organization from litigation, and helping achieve the organization’s objectives. M3. Summarize the ISO 31000 risk management methodology and its application in IT security Apllication ISO 31000 risk management in IT security can help us: Enhancing the ability to achieve planned objectives; Raising awareness about the need to identify and handle risks in the organization; Improve the identification of opportunities and threats; Help to comply with legal requirements, international regulations and standards; Creates and protects value Is an integral part of all organizational and decision-making processes Is systematic, structured and timely Is based on the best available information Takes human and cultural factors into account Is transparent and inclusive Is dynamic, iterative and responsible to change Facilitates continual improvement of the organization Improve governance;
Establishing a reliable basis for decision making and planning; Improve management methods more effectively; Phân bổ và sử dụng hợp lí các nguồn lực để xử lý rủi ro; Improve the effectiveness of activities and implementation results; Enhance health, safety, as well as protect the environment; Improve the learning environment inside the organization; Improve organizational capacity. Implementing the Risk management process Steps to an effective implementation/integration of the Risk Management process:
Possible impacts to organizational security: The IT security audit process ensures that your cyber defense measures are always updated as quickly as possible. And to deal effectively with threats caused by false information and these criminals manipulate IT systems. Security audits will save you money by finding the most effective ways to protect your information system and minimize resource wastage for outdated or inefficient operations.
After setting up your password will be complex and security will be very high (minimum 8 characters).
Device Security You will most likely identify these network segments with other security requirements while designing the security for your network. For example, some servers will need to have access staff. Some are still publicly accessible. Therefore, in order to implement security for different departments, you will build belts that can only be overcome by a number of major types of traffic in the form of Public Networks, Private Networks, and sold networks. The limitations of such network segments are set by devices such as routers, ports, bridges and switches that can adjust and control the flow of incoming and outgoing segments. Communication and monitoring devices are often deployed in the network for many different purposes, must be properly configured as required and accessed on the basis of privileges and profiles of users of their available software. updated. In addition, the following measures should be taken in the context of device security: The company must sign an NDA for each employee about not disclosing details of the devices deployed within the perimeter. Regularly update security patches and updates released by the vendor. ACLs should be maintained to allow or deny TCP and UDP traffic. Service must be disabled if they are not used.
Internet access policies include systems that automatically block all websites identified as inappropriate and unspecified for corporate users. Moreover, internet access should be based on the nature of the work of each employee in each company. The Internet builds its own network topology and connects itself to the various important assets of the company, such as servers, accounts, etc., so it must be filtered and monitored properly.
VPN systems provide a means to protect data while it moves to an unreliable network. VPN is only for employees who use computer systems owned by the organization. All types of remote access to the corporate network must go through VPN with the company's standard operating system, along with certain security systems. Do not allow access to company computers when coming from home via the internet. To protect the network when VPN is used to access remote users, security administrators need to ensure that full protection is always performed on endpoints using L2TP with IPSec. Furthermore, VPN providers must turn on their client's firewall function to filter traffic.
Ports that communicate in or out of the workstation for services that do not need to be blocked in addition to services such as HTTP, HTTPS, etc. since most have noticed that open ports for some of the services that are opened are not appropriate, this often makes it easier for hackers to break the system. Such security measures may be applied by the system administrator as a defensive line. Therefore, a workstation communicates directly with the internet and only uses authorized services or interfaces in the inbound connection.
To prevent possible abuse of wireless networks, the user must first authenticate the user in accordance with the WEP replacement and the abnormal monitoring mechanism on the wireless LAN. Furthermore, 802.11i security measures such as TKIP and CCMP should be used to encrypt information. At the same time, having a list of the following suspicious events on wireless LAN is always considered for intrusion detection:
Certain systems or servers, such as e-mail, web servers, databases, etc.. A potential attack against critical systems can be destructive or even negligible by putting them together with the firewall.
The account must be secured with a complex password (password length, password complexity). Account holders are only allowed to access information and services when necessary. Disable accounts that are not in use, delete unused accounts. Accounts on the system will receive 2 main rights:
The security audit process is an accurate systematic assessment of the security of the information system by measuring its suitability with an existing set of criteria. Security audits are often used to determine regulatory compliance, according to laws (such as HIPAA, Sarbanes-Oxley Act and California Security Infringement Information Act) that have been designated organizations to address believe. To accomplish the purpose of collecting information from businesses, support from third parties is needed to analyze data, market and support customer service or provide better services to customers. In the process of information security of enterprises, stakeholders will support the process according to the following table:
https://www.itgovernance.eu/blog/en/5-steps-to-an-effective-iso- 27001 - risk-assessment https://www.helpsystems.com/resources/articles/top-benefits-network-monitoring https://en.wikipedia.org/wiki/Pseudonymization https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data- lossprevention https://www.policymedical.com/what-is-policy-management/ http://www.itgeared.com/articles/1013-how-to-implement-active-directory/