Security assigments btec and others, Study notes of Security Analysis

Security assigments btec and others

Typology: Study notes

2021/2022

Uploaded on 05/17/2022

rahimjonov-muhammadamin
rahimjonov-muhammadamin 🇺🇿

7 documents

1 / 13

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
P5. Discuss risk assessment procedures.
3.1 Risk management procedure for EMC Cyber solutions to safeguard itself and its clients
3.1.1 Risk Assessment
Risk assessment is the process of identifying potential hazards and analyzing what might happen if a hazard occurs.
Business Impact Analysis (BIA) is the process of identifying potential impacts resulting from the disruption of time-
sensitive or critical business processes. (ready.gov, 2021)
3.1.2 Risk Assessment Framework(RAF)
A risk assessment framework (RAF) is an approach to prioritize and communicate the security risks posed by an
information technology organization. The information should be presented in a way that can be understood by both
technical and non-technical personnel. A Look at the RAF provides organizations with assistance in identifying and
detecting low- and high-risk areas in the system that may be vulnerable to abuse or attack. (techopedia, 2017)
Types of Risk Assessment Framework
1. Risk management guide for information technology systems (NIST guide) from the National Standards
Institute.
2. Operationally Critical Threats, Assets, and Vulnerabilities Assessment (OCTAVE) of the IT Emergency
Preparedness Team.
3. Control Objectives for Information Technology and Related Information Technology (COBIT) of the
Information Systems Audit and Control Association.
3.1.3 5 components of RMF
There are at least five key components to consider when creating a risk management framework. These include risk
identification; measuring and assessing risks; risk reduction; reporting and monitoring of risks; and risk management.
1. Risk identification
The first step in identifying the risks a company faces is to determine the magnitude of the risks. The amount of risk
is simply a list of all possible risks. Examples include IT risk, operational risk, regulatory risk, legal risk, political risk,
strategic risk, and credit risk.
After listing all possible risks, the company can select the risks it faces and divide it into main risks and non-essential
risks. The main risk is the risk the company must take to achieve results and ensure long-term growth. Non-essential
risks are often unnecessary and can be minimized or completely eliminated.
2. Measuring risk
The risk measurement provides information on the number of specific exposures or exposures in general and the
probability of losses resulting from those exposures. When measuring exposure to a particular risk, it is important to
consider the impact that risk has on the organization's overall risk profile.
Some risks provide multiple benefits, while others do not. Another important consideration is the ability to measure
exposure. Some risks are easier to measure than others. For example, you can use observable market prices to
measure market risk, but measuring operational risk is considered both an art and a science.
If there is a small change in risk, the particular risk measure usually has a predictable effect on profit and loss (“P/L”).
They can also provide information about the degree of volatility in the P&L. For example, the risk of investing in
stocks can be measured as the effect of gains and losses on stocks, such as a 1-unit change in the S&P 500 Index or
the standard deviation of a particular stock.
Common comprehensive risk measures include value at risk (VaR), return at risk (EaR) and economic capital. In
addition to these measures, techniques such as scenario analysis and stress testing can also be used.
pf3
pf4
pf5
pf8
pf9
pfa
pfd

Partial preview of the text

Download Security assigments btec and others and more Study notes Security Analysis in PDF only on Docsity!

P5. Discuss risk assessment procedures.

3.1 Risk management procedure for EMC Cyber solutions to safeguard itself and its clients

3.1.1 Risk Assessment

Risk assessment is the process of identifying potential hazards and analyzing what might happen if a hazard occurs. Business Impact Analysis (BIA) is the process of identifying potential impacts resulting from the disruption of time- sensitive or critical business processes. (ready.gov, 2021)

3.1.2 Risk Assessment Framework(RAF)

A risk assessment framework (RAF) is an approach to prioritize and communicate the security risks posed by an information technology organization. The information should be presented in a way that can be understood by both technical and non-technical personnel. A Look at the RAF provides organizations with assistance in identifying and detecting low- and high-risk areas in the system that may be vulnerable to abuse or attack. (techopedia, 2017) Types of Risk Assessment Framework

1. Risk management guide for information technology systems (NIST guide) from the National Standards

Institute.

2. Operationally Critical Threats, Assets, and Vulnerabilities Assessment (OCTAVE) of the IT Emergency

Preparedness Team.

3. Control Objectives for Information Technology and Related Information Technology (COBIT) of the

Information Systems Audit and Control Association.

3.1.3 5 components of RMF

There are at least five key components to consider when creating a risk management framework. These include risk identification; measuring and assessing risks; risk reduction; reporting and monitoring of risks; and risk management.

  1. Risk identification The first step in identifying the risks a company faces is to determine the magnitude of the risks. The amount of risk is simply a list of all possible risks. Examples include IT risk, operational risk, regulatory risk, legal risk, political risk, strategic risk, and credit risk. After listing all possible risks, the company can select the risks it faces and divide it into main risks and non-essential risks. The main risk is the risk the company must take to achieve results and ensure long-term growth. Non-essential risks are often unnecessary and can be minimized or completely eliminated.
  2. Measuring risk The risk measurement provides information on the number of specific exposures or exposures in general and the probability of losses resulting from those exposures. When measuring exposure to a particular risk, it is important to consider the impact that risk has on the organization's overall risk profile. Some risks provide multiple benefits, while others do not. Another important consideration is the ability to measure exposure. Some risks are easier to measure than others. For example, you can use observable market prices to measure market risk, but measuring operational risk is considered both an art and a science. If there is a small change in risk, the particular risk measure usually has a predictable effect on profit and loss (“P/L”). They can also provide information about the degree of volatility in the P&L. For example, the risk of investing in stocks can be measured as the effect of gains and losses on stocks, such as a 1-unit change in the S&P 500 Index or the standard deviation of a particular stock. Common comprehensive risk measures include value at risk (VaR), return at risk (EaR) and economic capital. In addition to these measures, techniques such as scenario analysis and stress testing can also be used.
  1. Risk reduction Once risks are classified and measured, the company can decide which risks should be eliminated or minimized and how many major risks should be retained. Directly selling assets or liabilities, purchasing insurance, and using derivatives for hedging or diversification purposes, can mitigate risks.
  2. Risk reporting and monitoring It is important to regularly report on specific and comprehensive risk measures to keep the level of risk at an optimal level. Financial institutions that trade daily will generate daily risk reports. Other organizations may require less reporting frequency. A risk report should be sent to risk personnel who have the authority to adjust (or instruct others to adjust) risk exposure.
  3. Management of risks Risk management is the process of ensuring that all employees of the company perform their duties in accordance with the risk management system. Risk management includes defining the roles of all employees, segregation of duties and delegating authority to individuals, committees and boards of directors to approve key risks, risk limits, exceptions and risk reports, and overall oversight.

3.1.4 Importance of Risk Assessment Framework

  • To conduct a risk assessment, participants (stakeholders, business owners, etc.) must specifically identify information assets and their value to the organization, such as their marketing value or integrity value if personal information is protected.
  • Stakeholders will be informed about the risks their organizations are exposed to and whether the current measures are sufficient.
  • Participants within the organization become more aware of risks and learn to defend themselves and avoid actions that could put the organization at greater risk.
  • Conducting an assessment ensures that an effective and meaningful risk awareness training program is developed for employees, including managers.
  • An organization can establish risk tolerance standards based on a better knowledge of its assets, security best practices, and legal and regulatory requirements for its industry. (theruntime, 2019)

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing Pseudonymization can be one way to comply with the European Union's new General Data Protection Regulation demands for secure data storage of personal information.Pseudonymized data can be restored to its original state with the addition of information which then allows individuals to be re-identified, while anonymized data can never be restored to its original state.  Incident Response Plan (IRP) A mature IRP should address phases such as preparation, identification, containment, destroy, recovery and lessons learned. But, what if an incident occurs and it was identified that data may have been breached? Well, GDPR has requirements for your organization’s. Breach notification requirements are among the most special in the legislation. Under GDPR, “In the event of a potential data breach that involves personal information, an organization must notify the Data Protection Authority without undue delay, within 72 hours if impossible, after becoming aware of the breach; and Communicate high-risk breaches to affected data subjects without undue delay”.  Third-Party Risk Management If an organization entrusts the processing of personal data to a processor or a breach occurs, who is the one responsible for this?  Policy Management Policy management is the process of creating, communicating, and maintaining policies and procedures within an organization. An effective policy management system can mitigate risk in two ways. First, it makes policies more quickly accessible to direct care staff, guiding care and safety decisions. Second, it can protect an organization from litigation by staying up to date on accreditation standards and creating an audit trail in the case of legal action. Because the process of managing policies can be expensive and time consuming, hospital boards should make the implementation of an efficient policy management system a priority. A comprehensive and well- managed set of policies can support GRC activities by communicating boundaries and expectations, establishing a culture of compliance within the organization, protecting the organization from litigation, and helping achieve the organization’s objectives. M3. Summarize the ISO 31000 risk management methodology and its application in IT security  Apllication ISO 31000 risk management in IT security can help us: Enhancing the ability to achieve planned objectives; Raising awareness about the need to identify and handle risks in the organization; Improve the identification of opportunities and threats; Help to comply with legal requirements, international regulations and standards; Creates and protects value Is an integral part of all organizational and decision-making processes Is systematic, structured and timely Is based on the best available information Takes human and cultural factors into account Is transparent and inclusive Is dynamic, iterative and responsible to change Facilitates continual improvement of the organization Improve governance;

Establishing a reliable basis for decision making and planning; Improve management methods more effectively; Phân bổ và sử dụng hợp lí các nguồn lực để xử lý rủi ro; Improve the effectiveness of activities and implementation results; Enhance health, safety, as well as protect the environment; Improve the learning environment inside the organization; Improve organizational capacity.  Implementing the Risk management process Steps to an effective implementation/integration of the Risk Management process:

  • Risk analysis: The organization must analyze each identified risk in the step. Based on the level of risk identified after risk analysis, the organization may consider whether the risk should be accepted. If the risk is not acceptable, the organization may perform preparatory actions to modify the risk to correspond to an acceptable level of risk. The organization should use a formal technique to examine the consequences and capabilities of each risk and these techniques may be contemplated, quantified or combined based on the circumstances and objectives used.
  • Risk assessment: This step provides the organization with an opportunity to have a mechanism to help them rank relative to each risk, so that they can establish treatment priorities.
  • Risk Management: Proper risk management requires rational and wise decisions on how to handle risks. Typically, such treatments include: avoiding activities that risk originates, risk sharing, risk management by applying control measures, not taking any further action, or accept risks and increase risks to pursue opportunities. Organizations do not always find themselves in trouble because of their excessive and reckless behavior. Sometimes organizations lag behind their opponents due to reluctance to take risks and pursue these opportunities.
  • Communication and consultation: Appropriate risk management requires structured and continuous communication with people affected by the organization's activities. The media must find ways to promote awareness and understanding of risks and means to meet its requirements, while consultation includes collecting feedback and information to support decision making..
  • Recording and reporting: Another step of risk management process based on ISO 31000 method is recording and reporting, ie the results of the risk management process will be recorded and reported through mechanisms suitable. Recording and reporting are important.

M4. Discuss possible impacts to organizational security resulting from an IT security audit.

 Possible impacts to organizational security: The IT security audit process ensures that your cyber defense measures are always updated as quickly as possible. And to deal effectively with threats caused by false information and these criminals manipulate IT systems. Security audits will save you money by finding the most effective ways to protect your information system and minimize resource wastage for outdated or inefficient operations.

After setting up your password will be complex and security will be very high (minimum 8 characters).

 Device Security You will most likely identify these network segments with other security requirements while designing the security for your network. For example, some servers will need to have access staff. Some are still publicly accessible. Therefore, in order to implement security for different departments, you will build belts that can only be overcome by a number of major types of traffic in the form of Public Networks, Private Networks, and sold networks. The limitations of such network segments are set by devices such as routers, ports, bridges and switches that can adjust and control the flow of incoming and outgoing segments. Communication and monitoring devices are often deployed in the network for many different purposes, must be properly configured as required and accessed on the basis of privileges and profiles of users of their available software. updated. In addition, the following measures should be taken in the context of device security: The company must sign an NDA for each employee about not disclosing details of the devices deployed within the perimeter. Regularly update security patches and updates released by the vendor. ACLs should be maintained to allow or deny TCP and UDP traffic. Service must be disabled if they are not used.

 Internet Access

Internet access policies include systems that automatically block all websites identified as inappropriate and unspecified for corporate users. Moreover, internet access should be based on the nature of the work of each employee in each company. The Internet builds its own network topology and connects itself to the various important assets of the company, such as servers, accounts, etc., so it must be filtered and monitored properly.

 VPN Policy

VPN systems provide a means to protect data while it moves to an unreliable network. VPN is only for employees who use computer systems owned by the organization. All types of remote access to the corporate network must go through VPN with the company's standard operating system, along with certain security systems. Do not allow access to company computers when coming from home via the internet. To protect the network when VPN is used to access remote users, security administrators need to ensure that full protection is always performed on endpoints using L2TP with IPSec. Furthermore, VPN providers must turn on their client's firewall function to filter traffic.

 Port Communication Policy

Ports that communicate in or out of the workstation for services that do not need to be blocked in addition to services such as HTTP, HTTPS, etc. since most have noticed that open ports for some of the services that are opened are not appropriate, this often makes it easier for hackers to break the system. Such security measures may be applied by the system administrator as a defensive line. Therefore, a workstation communicates directly with the internet and only uses authorized services or interfaces in the inbound connection.

 Wireless LAN Policy

To prevent possible abuse of wireless networks, the user must first authenticate the user in accordance with the WEP replacement and the abnormal monitoring mechanism on the wireless LAN. Furthermore, 802.11i security measures such as TKIP and CCMP should be used to encrypt information. At the same time, having a list of the following suspicious events on wireless LAN is always considered for intrusion detection:

 DMZ Policy

Certain systems or servers, such as e-mail, web servers, databases, etc.. A potential attack against critical systems can be destructive or even negligible by putting them together with the firewall.

 Create and manage Account:

The account must be secured with a complex password (password length, password complexity). Account holders are only allowed to access information and services when necessary. Disable accounts that are not in use, delete unused accounts. Accounts on the system will receive 2 main rights:

  • User rights: A type of privilege that the User is allowed by the system to perform special actions (for example: Right to back up files and folders, change system time, ...).
  • Permissions: Controlled by the DACLs of the system, allowed to access files / directories or Active Directory objects (eg User A has Read / Modify permissions with Directory C: Data, User B is the complete control for the OU enterprise ...).

P8. List the main components of an organizational disaster recovery plan, justifying the

reasons for inclusion.

  • Communication plan and role assignment. A plan is essential because it puts all employees on the same page and makes sure to clearly outline all communication. The document should contain all of the employee contact information and should understand their role in the days following the disaster. Tasks like setting up workstations, evaluating damage, redirecting phones and other tasks to help you organize things.
  • Planning for your device It is important that you plan to protect your device when a major storm is coming. You need to take all the equipment out of the floor, move into a room without a window and make sure it is covered with plastic to ensure that there is no water in the device. It is obviously best to completely seal the device to keep it safe from flooding, but sometimes in the case of severe flooding, this is probably not an option.
  • Continuous data system. When you create a disaster recovery plan, you will want to discover what your business requires to run. You need to understand exactly what your organization needs to do, financially, related to supplies and with the media. Whether you are a large consumer business that needs to complete shipments and contact their customers about those shipments or a small business to a business organization with many employees to be able to make backup plans , business continuity and have a full understanding of the needs and logistics around those plans.
  • Check backup. Make sure your backup is still running and include running an additional full local backup on all servers and data in your disaster preparedness plan. Run them as far as possible and ensure that they have backed up to a location that will not be affected by any disaster. You should also be cautious when putting that backup on an external hard drive that you can carry around without knowing it at any time.
  • Inventory of detailed assets. In your disaster preparedness plan, you should have a detailed repository of components, servers, printers, scanners, phones, tablets and other technologies that you and your employees have used. daily use This will give you a quick reference for insurance claims after a disaster by providing your moderators with a simple list of any inventory you have.

M5. Discuss the roles of stakeholders in the organization to implement security audit

recommendation

The security audit process is an accurate systematic assessment of the security of the information system by measuring its suitability with an existing set of criteria. Security audits are often used to determine regulatory compliance, according to laws (such as HIPAA, Sarbanes-Oxley Act and California Security Infringement Information Act) that have been designated organizations to address believe. To accomplish the purpose of collecting information from businesses, support from third parties is needed to analyze data, market and support customer service or provide better services to customers. In the process of information security of enterprises, stakeholders will support the process according to the following table:

 Server and Branch Manager: Server managers need to follow security measures such as:

https://www.itgovernance.eu/blog/en/5-steps-to-an-effective-iso- 27001 - risk-assessment https://www.helpsystems.com/resources/articles/top-benefits-network-monitoring https://en.wikipedia.org/wiki/Pseudonymization https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data- lossprevention https://www.policymedical.com/what-is-policy-management/ http://www.itgeared.com/articles/1013-how-to-implement-active-directory/