



































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This is Assignment 2 security of GW University
Typology: Study Guides, Projects, Research
1 / 43
This page cannot be seen from the preview
Don't miss anything!




































Student Name/ID Number: NGUYEN CHI BAO/GCS Unit Number and Title: Unit 5 : Security Academic Year: 2021 – 2022 Unit Assessor: Van Ho Assignment Title: Security Presentation Issue Date: April 1st, 2021 Submission Date: Internal Verifier Name: Date: Submission Format: Format: ● The submission is in the form of an individual written report. This should be written in a concise, formal business style using single spacing and font size 12. You are required to make use of headings, paragraphs, and subsections as appropriate, and all work must be supported with research and referenced using the Harvard referencing system. Please also provide a bibliography using the Harvard referencing system. Submission ● Students are compulsory to submit the assignment in due date and in a way requested by the Tutor. ● The form of submission will be a soft copy posted on http://cms.greenwich.edu.vn/. ● Remember to convert the word file into PDF file before the submission on CMS. Note: ● The individual Assignment must be your own work, and not copied by or from another student. ● If you use ideas, quotes or data (such as diagrams) from books, journals or other sources, you must reference your sources, using the Harvard style. ● Make sure that you understand and follow the guidelines to avoid plagiarism. Failure to comply this requirement will result in a failed assignment. Unit Learning Outcomes: LO 3 Review mechanisms to control organizational IT security. LO 4 Manage organizational security.
Assignment Brief and Guidance: Assignment scenario You work for a security consultancy as an IT Security Specialist. A manufacturing company “Wheelie good” in Ho Chi Min City making bicycle parts for export has called your company to propose a Security Policy for their organization, after reading stories in the media related to security breaches, etc. in organizations and their ramifications. Task 1 In preparation for this task, you will prepare a report considering: The security risks faced by the company. How data protection regulations and ISO risk management standards apply to IT security. The potential impact that an IT security audit might have on the security of the organization. The responsibilities of employees and stakeholders in relation to security. Task 2 Following your report: You will now design and implement a security policy While considering the components to be included in disaster recovery plan for Wheelie good, justify why you have included these components in your plan. Task 3 In addition to your security policy, you will evaluate the proposed tools used within the policy and how they align with IT security. You will include sections on how to administer and implement these policies.
Task 1 - Discuss risk assessment procedures (P5)
1. 1 Define a security risk and how to do risk assessment a) Define a security risk: A security risk assessment finds, evaluates, and applies important application security controls. It also focuses on preventing security flaws and vulnerabilities in applications. An enterprise can see its application portfolio holistically—from the standpoint of an attacker—by conducting a risk assessment. It aids managers in making well-informed decisions about resource allocation, tools, and security control implementation. As a result, conducting an evaluation is an important aspect of a company's risk management strategy. b) Risk assessment: A Security Risk Assessment (or SRA) is a method of outlining the risks in your organisation, technology, and procedures in order to ensure that security threats are addressed by existing controls. Security risk assessments are commonly included in compliance standards, such as the PCI-DSS requirements for payment card authentication. They are required by the AICPA as part of a SOC II audit for service organizations and are also criteria for ISO 27001, HITRUST CSF, and HIPAA compliance, to mention a few. As a result, security risk assessments are commonly referred to as a risk assessment, an IT infrastructure risk assessment, a safety risk audit, or a safety audit. c) What Is A Risk Assessment For Security: A security risk assessment finds, evaluates, and prioritizes potential vulnerabilities in various information assets (i.e., systems, hardware, applications, and data), as well as the hazards that may effect those vulnerabilities. A risk assessment's main goal is to alert decision-makers about vulnerabilities in business systems so that they can adopt proactive defensive measures and plan effective risk responses. The assessment also includes an executive summary to assist executives in making educated security decisions. Security risk assessments also show management where staff need to be trained in order to reduce attack surfaces. Security Risk Assessments are carried out in order to locate risk areas by a security assessor who can analyse all aspects of the business processes. These may be as basic as a poor password-enabled device, or may be more complicated problems, such as insecure business processes. The appraiser is going to typically review everything from HR policies to firewall configurations while working to identify potential risks. d) How to do risk assessment: The depth of risk assessment models is affected by factors like as size, growth rate, resources, and asset portfolio. When faced with money or time constraints, organizations can conduct generic assessments. Generalized evaluations, on the other hand, may not always include precise mappings of assets, associated threats, recognized risks, effects, and mitigation mechanisms. The depth of the risk assessment models is influenced by factors such as scale, growth rate, capital, and asset portfolio. When facing budget or time constraints, organizations may carry out generalized evaluations.
The method of identifying threats is a way of collecting data on possible threats that can assist management in identifying information security risks. A systematic methodology that helps an organization to aggregate and measure possible threats is threat modeling. Institutions should consider using threat modeling to better understand the existence, frequency, and complexity of threats; determine the institution's vulnerability to information security; and apply this awareness to the information security program of the institution. The identification of threats involves the sources of threats, their capabilities, and their objectives. By giving actions:
6. Create a risk management plan using the data collected. Here are some example entries: Threat Vulnerability Asset and consequences Risk Solution System failure-- overheating in sever room High Air conditioning system is ten years old. High Severs, All services( website, email, etc.) will be unavailable for at least 3 hours. Critical High (potential loss of $50,000 per occurrence) Buy a new air conditioner (cost $3.000) Malicious human (interferences) – distributed denial- of-service (DDos) attack High Firewall configured properly and has good DDOS mitigation. Low Website. Website will be unavailable Critical Moderate (Potential loss of $5000 per hour of downtime) Monitor firewall Natural disaster— flooding Moderate Server room is on the 3rd floor. Very Low Servers, All services will be unavailable Critical Very Low No action needed Accidental human interference- accidental file deletions High Permissions are configured properly; IT auditing software is in place; backup are taken regularly. Low All files on a file share. Critical data could be lost, but almost certainly could be restored from back up. Moderate Low Continue monitoring permissions changes, privileged users, and backups 7. Create a strategy for IT infrastructure enhancements to mitigate the most important vulnerabilities and get management sign-off. 8. Define mitigation processes. You can improve your IT security infrastructure but you cannot eliminate all risks. When a disaster happens, you fix what happened, investigate why it happened, and try to prevent it from happening again, or at least make the consequences less harmful. For example, here is a sample mitigation process for a server failure: 9. Event (server failure) → Response (use your disaster recovery plan or the vendor’s documentation to get the server up and running) → Analysis (determine why this server failed) → Mitigation (if the
to minimize them should be included in your plan. The document or the risk management plan should explain that you: Conducted a proper check of your workspace
Within the risk identification and management process, there are five main steps. Risk identification, risk analysis, risk appraisal, risk treatment, and risk monitoring are some of the steps involved. Step 1: Risk identification: The purpose of risk identification is to reveal what, where, why, and how anything could impair an organization's ability to function. A company in central California, for example, would list "wildfire" as a possible occurrence that could disrupt business operations. Step 2: Risk Analysis: This step includes determining the likelihood of a risk event occurring and the likely outcome of each event. Using the example of California wildfire, safety managers may determine how much rainfall has occurred in the last 12 months and the degree of harm that organization could face if a fire occurs. Step 3: Risk evaluation: The severity of each danger is compared and rated based on its predominance and effects. For example, the impacts of a potential wildfire can be balanced against the implications of a potential mudslide. Regardless of which occurrence is determined to have a higher probability of occurring and causing harm, it will rank higher. Step 4: Risk treatment: Preparation for risk response is a term used to describe risk therapy. Based on the evaluated importance of each risk, risk reduction approaches, preventive treatment, and contingency measures are included into this procedure. Using the wildfire example, risk managers can choose to keep additional network servers offshore so that corporate activities can continue even if an onsite server is destroyed. The risk manager can also design evacuation plans for employees.
Step 5: Risk monitoring: Risk management is a continuous process that adapts and changes over time. By repeating and tracking the processes, it will help to assure optimal coverage of known and unknown risks. **Figure 2. Risk Management Process Task 2 - Explain data protection processes and regulations as applicable to an organisation (P6) Figure 3 Data Protection
Data is getting more and more valuable. The abilities and opportunities for retrieving various types of personal data are likewise continuously evolving. Individuals and businesses can be severely harmed by unauthorized, careless, or uneducated personal data handling. As the volume of data generation and procession continues to expand at exponential rates, the value of data security increases. There is also little downtime tolerance that can render it difficult to access critical data. Three explanations why Data Protection Regulation is relevant are given below:
determining which information should be more closely guarded and for improving the overall efficiency of the data processing system. Your risk assessment should be based on two axes: the potential severity of a data breach and the chance of a breach. The greater the risk on both of these vectors, the more sensitive the data is. A Data Protection Officer (Privacy Officer) will assist you in developing valid ground rules as part of these exams. Stop doing it on your own if you are fully certain you know what you're doing. If mislabeled data is lost, it might be disastrous. + Backups: Backups are a means to protect data from loss caused by human error or technology failure. On a regular basis, backups should be created and updated. Daily backups will add to your company's expenses but disrupting your routine business activities will cost you considerably more. Time is more valuable than money. Low-importance information does not need to be backed up as much as sensitive information, so backups should be done in accordance with the above-explained approach. These backups should be kept in a safe place, and they should most likely be encrypted. Sensitive data should never be kept in the cloud. Review storage media for degradation on a regular basis, as directed by the manufacturer, and ensure that they are stored in accordance with official guidelines (check for humidity, temperature, etc.) Compared to hard disks, tape-storage methods are still a cheaper alternative (by two-thirds). Hard drives, however, are more compact and better-suited to operations on a small scale. With disk-storage methods, data access is often much quicker. Tape storage systems are still less expensive than hard disk storage (by two-thirds). Hard drives, on the other hand, are more compact and better suited to small-scale operations. Data access is generally more faster when using disk storage technologies. +Encryption: The prime candidate for encryption is high-risk data every step of the way. This involves processing (full memory encryption) during acquisition (online cryptographic protocols), and subsequent storage (RSA or AES). Well- encrypted information is inherently secure; the data would be useless and irrecoverable to attackers, except in cases of a data breach For that reason, encryption is also expressly referred to in the GDPR as a data protection tool, which means that its proper use would definitely bring you favors in the regulators' eyes. For example, if you encounter an infringement involving encrypted data, you do not even have to report it to the supervisory authorities because the data is deemed to be sufficiently secured! You should consider encryption as your #1 data protection technique for this purpose alone. +Assess controls: A very successful risk mitigation approach is the application of access controls to the process of your business. The less people have access to data, the lower the chance of violation or loss of (inadvertent) information. Only trustworthy workers who have a legitimate reason to use it should ensure that you have access to sensitive data. We recommend that you keep regular training courses and refreshers for prior data handling, particularly after recruiting new employees.
We live in a world where computers are globally networked and accessible, making digitized information particularly vulnerable to fraud, exploitation, and destruction. Protection violations are unavoidable. Crucia's decisions and defensive moves must be quick and precise. A security policy outlines what must be done to protect information held on computers. A well-written policy offers a sufficient definition of "what" to accomplish so that the "how" can be defined, quantified, or determined. Without a security policy, every firm can be left vulnerable to the world. It's important to note that in order to determine policy needs, a risk assessment must first be completed. This can help an entity determine sensitivity criteria in terms of knowledge, processes, procedures, and structures. C) The importance: Establishing an effective security plan and taking steps to assure compliance is a critical step in preventing and reducing security breaches. To make your security policy genuinely successful, update it in response to changes in your organization, new threats, lessons learned from prior breaches, and other changes to your security posture. Make your data protection policy reasonable and enforceable. It should have an exemption structure in place to satisfy the demands and crises that occur from diverse sectors of the organization. If security is vital, it is critical to ensure that all security measures are implemented through adequately robust procedures. Structured procedures and risk management approaches are used to ensure the completeness of security rules and their rigorous implementation. In complex systems, like as information systems, policies can be split down into sub-policies to allow for the distribution of security frameworks for the application of sub-policies. However, there are certain disadvantages to this method. Simple to move in to skip straight to the sub-policies, which are essentially rules of action, and ignore the top-level regulation. When they don't, it provides the impression that the rules of operation are addressing some broad concept of protection. Because it's so difficult to conceive clearly about total protection, rules of operation described as "sub-policies" without a "super-policy" tend to be meandering regulations that don't completely enforce anything. As a result, any genuine security system requires a top-level security policy, without which sub-policies and norms of operation are pointless. 3.2 Give an example for each of the policies A) Employee requirements: Using this policy This example policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which they should be concerned. This should link to your AUP (acceptable use policy), security training and information security policy to provide users with guidance on the required behaviors. 1.0 Purpose
all data. It’s primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale. 2.0 Scope